If you like the data on your WD My Cloud OS 3 device, patch it now

by
Dan Goodin
from Ars Technica - All content on (#5V6Q4)
my-cloud-800x436.jpg

Enlarge (credit: Western Digital)

Western Digital has patched three critical vulnerabilities-one with a severity rating of 9.8 and another with a 9.0-that make it possible for hackers to steal data or remotely hijack storage devices running version 3 of the company's My Cloud OS.

CVE-2021-40438, as one of the vulnerabilities is tracked, allows remote attackers with no authentication to make devices forward requests to servers of the attacker's choosing. Like the other two flaws Western Digital fixed, it resides in the Apache HTTP Server versions 2.4.48 and earlier. Attackers have already successfully exploited it to steal hashed passwords from a vulnerable system, and exploit code is readily available.

The vulnerability, with a severity rating of 9 out of a maximum 10, stems from a Server-Side Request Forgery. This class of bug lets attackers funnel malicious requests to internal systems that are behind firewalls or otherwise not accessible outside a private network. It works by inducing server-side applications to make HTTP requests to an arbitrary domain of the attacker's choosing.

Read 5 remaining paragraphs | Comments

index?i=ScTwKJoywqo:Qgia7K0q2hU:V_sGLiPB index?i=ScTwKJoywqo:Qgia7K0q2hU:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments