#VU86124 Resource exhaustion in Western Digital products - CVE-2023-22819

Cybersecurity Help s.r.o.

Published: 2024-02-06 | Updated: 2024-02-07

Vulnerability identifier: #VU86124

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-22819

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vendor: Western Digital

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the RESTSDK server. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

My Cloud PR2100: before 5.27.161

My Cloud PR4100: before 5.27.161

My Cloud EX4100: before 5.27.161

My Cloud EX2 Ultra: before 5.27.161

My Cloud Mirror G2: before 5.27.161

My Cloud DL2100: before 5.27.161

My Cloud DL4100: before 5.27.161

My Cloud EX2100: before 5.27.161

My Cloud (Glacier): before 5.27.161

WD Cloud: before 5.27.161

My Cloud Home: before 9.5.1-104

My Cloud Home Duo: before 9.5.1-104

SanDisk ibi: before 9.5.1-104

External links
https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update
https://www.zerodayinitiative.com/advisories/ZDI-24-088/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Western Digital My Cloud OS 5, My Cloud Home and SanDisk ibi devices