CVE-2022-23006 : A stack-based buffer overflow vulnerability was found on Western Digital My Clou

A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes.

Published 2022-09-27 23:15:13

Updated 2022-10-03 18:40:17

Source Western Digital

View at NVD, CVE.org

Vulnerability category: OverflowMemory CorruptionExecute code

Products affected by CVE-2022-23006

Westerndigital » My Cloud Home Firmware
Versions before (<) 8.10.0-117
cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Westerndigital » My Cloud Home » Version: N/A
Westerndigital » My Cloud Home Duo Firmware
Versions before (<) 8.10.0-117
cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Westerndigital » My Cloud Home Duo » Version: N/A
Westerndigital » Sandisk Ibi Firmware
Versions before (<) 8.10.0-117
cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Westerndigital » Sandisk Ibi » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2022-23006

EPSS FAQ

0.27%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 47 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-23006

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.7	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H	0.8	5.9	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
1.8	LOW	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N	0.3	1.4	Western Digital
Attack Vector: Local Attack Complexity: High Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2022-23006

CWE-121 Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Assigned by: psirt@wdc.com (Secondary)
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-23006

https://www.westerndigital.com/support/product-security/wdc-22015-western-digital-my-cloud-home-and-sandisk-ibi-firmware-version-8-10-0-117

WDC-22015 Western Digital My Cloud Home and SanDisk ibi Firmware Version 8.10.0-117 | Western Digital
Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2022-23006

NVD - CVE-2022-23006
Third Party Advisory;US Government Resource

Jump to

Vulnerability Details : CVE-2022-23006

Products affected by CVE-2022-23006

Exploit prediction scoring system (EPSS) score for CVE-2022-23006

CVSS scores for CVE-2022-23006

CWE ids for CVE-2022-23006

References for CVE-2022-23006