CVE-2022-22997 - OpenCVE

Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel
Westerndigital	My Cloud Home My Cloud Home Duo My Cloud Home Duo Firmware My Cloud Home Firmware

Configuration 1 [-]

AND

cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:westerndigital:my_cloud_home_duo:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:westerndigital:my_cloud_home:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*

No data.

References

Link	Providers
https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107

History

No history.

MITRE

Status: PUBLISHED

Assigner: WDC PSIRT

Published: 2022-07-12T20:22:36

Updated: 2024-08-03T03:28:42.830Z

Reserved: 2022-01-10T00:00:00

Link: CVE-2022-22997

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-07-12T21:15:09.393

Modified: 2022-07-20T15:24:44.043

Link: CVE-2022-22997

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Linux"], "product": "My Cloud Home", "vendor": "Western Digital", "versions": [{"lessThan": "8.5.1-102", "status": "affected", "version": "My Cloud Home Firmware", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Western Digital would like to thank Viettel Cyber Security for reporting this issue."}], "descriptions": [{"lang": "en", "value": "Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-12T20:22:36", "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", "shortName": "WDC PSIRT"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107"}], "solutions": [{"lang": "en", "value": "My Cloud Home devices have been automatically updated to resolve this vulnerability"}], "source": {"discovery": "EXTERNAL"}, "title": "Command Injection Vulnerability on My Cloud Home", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@wdc.com", "ID": "CVE-2022-22997", "STATE": "PUBLIC", "TITLE": "Command Injection Vulnerability on My Cloud Home"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "My Cloud Home", "version": {"version_data": [{"platform": "Linux", "version_affected": "<", "version_name": "My Cloud Home Firmware", "version_value": "8.5.1-102"}]}}]}, "vendor_name": "Western Digital"}]}}, "credit": [{"lang": "eng", "value": "Western Digital would like to thank Viettel Cyber Security for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107", "refsource": "MISC", "url": "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107"}]}, "solution": [{"lang": "en", "value": "My Cloud Home devices have been automatically updated to resolve this vulnerability"}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:28:42.830Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107"}]}]}, "cveMetadata": {"assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", "assignerShortName": "WDC PSIRT", "cveId": "CVE-2022-22997", "datePublished": "2022-07-12T20:22:36", "dateReserved": "2022-01-10T00:00:00", "dateUpdated": "2024-08-03T03:28:42.830Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A841DCC2-1613-4AEA-9BA4-01C8CDFFC139", "versionEndExcluding": "8.5.1-102", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*", "matchCriteriaId": "124BBC79-65A2-465C-B784-D21E57E96F63", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F6393CE-61EF-48D1-AD0B-2462D0E08406", "versionEndExcluding": "8.5.1-102", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*", "matchCriteriaId": "2BE2FBAB-5BA0-4F09-A76E-4A6869668810", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices."}, {"lang": "es", "value": "Se ha abordado una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo remota mediante la resoluci\u00f3n de una vulnerabilidad de inyecci\u00f3n de comandos y el cierre de un cubo de AWS S3 que potencialmente permit\u00eda a un atacante ejecutar c\u00f3digo sin firmar en los dispositivos de My Cloud Home"}], "id": "CVE-2022-22997", "lastModified": "2022-07-20T15:24:44.043", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "psirt@wdc.com", "type": "Secondary"}]}, "published": "2022-07-12T21:15:09.393", "references": [{"source": "psirt@wdc.com", "tags": ["Vendor Advisory"], "url": "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107"}], "sourceIdentifier": "psirt@wdc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "psirt@wdc.com", "type": "Secondary"}]}