Main Vulnerability Database SB2018012311

SB2018012311 - Remote code execution in Western Digital My Cloud

Published: January 23, 2018

Security Bulletin ID SB2018012311

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper authentication (CVE-ID: CVE-2017-17560)

The vulnerability allows a remote attacker can execute arbitrary code on the target system.

The weakness exists in the /web/jquery/uploader/multi_uploadify.php function due to insufficient authentication. A remote attacker can submit a specially crafted PHP shell and execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

References

https://community.wd.com/t/new-release-my-cloud-firmware-versions-4-05-00-320-11-28-17-2-30-181-01-1...