Main Vulnerability Database Vulnerabilities #VU54524

#VU54524 Missing authentication for critical function in My Cloud PR4100

Published: July 5, 2021

Vulnerability identifier: #VU54524

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
My Cloud PR4100

Software vendor:
Western Digital

Description

The vulnerability allows a remote attacker to compromise the affected device.

The vulnerability exists due to an error in the configuration when accessing the management API along with an empty password for the "nobody" user account. A remote non-authenticated attacker can login under the "nobody" user account with an empty password to the administrative interface and upload an arbitrary OS image onto the device.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Remediation

Upgrade your firmware to My Cloud OS 5.

External links

https://www.youtube.com/watch?v=vsg9YgvGBec

#VU54524 Missing authentication for critical function in My Cloud PR4100

Description

Remediation

External links

Please verify you're human