CVE-2022-23000

Weak Default SSL use in Port Forwarding Service

Description

The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability.

Remediation

Solution:

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

References

Link	Tags
https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-23000?: CVE-2022-23000 has been scored as a high severity vulnerability.
How to fix CVE-2022-23000?: To fix CVE-2022-23000: To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.
Is CVE-2022-23000 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-23000 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-23000?: CVE-2022-23000 affects Western Digital My Cloud.

Description

Remediation

Category

CWE-757 – Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

References

Frequently Asked Questions