A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.
References
Link | Resource |
---|---|
https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 | Vendor Advisory |
https://www.zerodayinitiative.com/advisories/ZDI-22-077/ | Third Party Advisory VDB Entry |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WDC PSIRT
Published: 2022-01-13T20:27:25
Updated: 2022-01-17T14:06:10
Reserved: 2022-01-10T00:00:00
Link: CVE-2022-22991
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-01-13T21:15:08.980
Modified: 2022-01-21T16:33:52.383
Link: CVE-2022-22991
JSON object: View
Redhat Information
No data.