CVE-2022-36328 : Security Advisory and Response
Discover how CVE-2022-36328 exposes sensitive data in Western Digital and SanDisk devices. Learn about the impact, technical details, and mitigation steps for this Path Traversal vulnerability.
A Path Traversal vulnerability in Western Digital devices exposes sensitive data to attackers by allowing them to create arbitrary shares on directories. Find out the impact, technical details, and mitigation steps for CVE-2022-36328.
Understanding CVE-2022-36328
CVE-2022-36328 is a Path Traversal vulnerability affecting Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi, and My Cloud OS 5 devices. The vulnerability enables attackers to create arbitrary shares on directories and exfiltrate sensitive data once they gain root privileges.
What is CVE-2022-36328?
Discovered in Western Digital and SanDisk devices, CVE-2022-36328 allows attackers to read arbitrary files and compromise sensitive information by exploiting a Path Traversal issue. The vulnerability requires root access on affected devices.
The Impact of CVE-2022-36328
The vulnerability poses a medium-severity risk with a CVSS base score of 5.8, affecting devices running specific versions of the firmware. Attackers can leverage this flaw to access and exfiltrate sensitive files, passwords, user data, and device configurations.
Technical Details of CVE-2022-36328
The vulnerability is categorized under CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). It has a CVSS v3.1 base score of 5.8 (Medium severity) and a HIGH attack complexity.
Vulnerability Description
CVE-2022-36328 allows attackers to bypass authentication mechanisms and gain root privileges, leading to arbitrary file reads and unauthorized access to critical data on affected Western Digital and SanDisk devices.
Affected Systems and Versions
Devices impacted by CVE-2022-36328 include My Cloud Home, My Cloud Home Duo (before 9.4.0-191), SanDisk ibi (before 9.4.0-191), and My Cloud OS 5 (before 5.26.202).
Exploitation Mechanism
To exploit the vulnerability, threat actors need to first gain root privileges by leveraging an authentication bypass issue or another vulnerability present in the affected devices.
Mitigation and Prevention
Act promptly to secure your Western Digital and SanDisk devices against CVE-2022-36328. Follow these steps to mitigate the risk and prevent potential data breaches:
Immediate Steps to Take
For My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices, ensure automatic updates to the latest firmware version.
Long-Term Security Practices
Regularly monitor for firmware updates and apply them promptly to stay protected against known vulnerabilities.
Patching and Updates
For My Cloud OS 5 devices, users are strongly advised to update their devices to the latest firmware by clicking on the provided notification.