Vulnerability-Lookup

CNVD-2022-88804

Vulnerability from cnvd - Published: 2022-12-21

Title

多款Western Digital产品缓冲区溢出漏洞

Description

Western Digital My Cloud等都是美国西部数据（Western Digital）公司的产品。Western Digital My Cloud是一款个人云存储设备。Western Digital My Cloud Home是一款易于使用的个人云存储设备。SanDisk ibi等都是美国SanDisk公司的产品。SanDisk ibi是一个智能照片管理器和媒体存储硬盘。 Western Digital产品存在缓冲区溢出漏洞，攻击者可利用该漏洞本地访问系统，读取/etc/version文件。

Severity

低

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.westerndigital.com/zh-cn

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-23006

Impacted products

Name
['Western Digital My Cloud Home <8.10.0-117', 'Western Digital My Cloud Home Duo <8.10.0-117', 'Western Digital SanDisk ibi <8.10.0-117']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-23006",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-23006"
    }
  },
  "description": "Western Digital My Cloud\u7b49\u90fd\u662f\u7f8e\u56fd\u897f\u90e8\u6570\u636e\uff08Western Digital\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Western Digital My Cloud\u662f\u4e00\u6b3e\u4e2a\u4eba\u4e91\u5b58\u50a8\u8bbe\u5907\u3002Western Digital My Cloud Home\u662f\u4e00\u6b3e\u6613\u4e8e\u4f7f\u7528\u7684\u4e2a\u4eba\u4e91\u5b58\u50a8\u8bbe\u5907\u3002SanDisk ibi\u7b49\u90fd\u662f\u7f8e\u56fdSanDisk\u516c\u53f8\u7684\u4ea7\u54c1\u3002SanDisk ibi\u662f\u4e00\u4e2a\u667a\u80fd\u7167\u7247\u7ba1\u7406\u5668\u548c\u5a92\u4f53\u5b58\u50a8\u786c\u76d8\u3002\n\nWestern Digital\u4ea7\u54c1\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u672c\u5730\u8bbf\u95ee\u7cfb\u7edf\uff0c\u8bfb\u53d6/etc/version\u6587\u4ef6\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.westerndigital.com/zh-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-88804",
  "openTime": "2022-12-21",
  "products": {
    "product": [
      "Western Digital My Cloud Home \u003c8.10.0-117",
      "Western Digital My Cloud Home Duo \u003c8.10.0-117",
      "Western Digital SanDisk ibi \u003c8.10.0-117"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-23006",
  "serverity": "\u4f4e",
  "submitTime": "2022-09-29",
  "title": "\u591a\u6b3eWestern Digital\u4ea7\u54c1\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

CVE-2022-23006 (GCVE-0-2022-23006)

Vulnerability from cvelistv5 – Published: 2022-09-27 13:53 – Updated: 2025-05-21 15:09

Title

Buffer Overflow Vulnerability in Western Digital My Cloud Home Products and SanDisk ibi

Summary

A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes.

Severity ?

1.8 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-121 - Stack-based Buffer Overflow

Assigner

WDC PSIRT

References

URL

Tags

https://nvd.nist.gov/vuln/detail/CVE-2022-23006

x_refsource_MISC

Impacted products

Vendor

Product

Version

Western Digital

My Cloud Home

Affected: 8.10.0-117 , < 8.10.0-117 (custom)

	Western Digital	My Cloud Home Duo	Affected: 8.10.0-117 , < 8.10.0-117 (custom)
	SanDisk	ibi	Affected: 8.10.0-117 , < 8.10.0-117 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:28:42.880Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23006"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23006",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-21T15:09:18.339787Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-21T15:09:24.355Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "Linux"
          ],
          "product": "My Cloud Home",
          "vendor": "Western Digital",
          "versions": [
            {
              "lessThan": "8.10.0-117",
              "status": "affected",
              "version": "8.10.0-117",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "Linux"
          ],
          "product": "My Cloud Home Duo",
          "vendor": "Western Digital",
          "versions": [
            {
              "lessThan": "8.10.0-117",
              "status": "affected",
              "version": "8.10.0-117",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "Linux"
          ],
          "product": "ibi",
          "vendor": "SanDisk",
          "versions": [
            {
              "lessThan": "8.10.0-117",
              "status": "affected",
              "version": "8.10.0-117",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 1.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-27T13:53:34.000Z",
        "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
        "shortName": "WDC PSIRT"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23006"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Your device will be automatically updated to the latest firmware version."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Buffer Overflow Vulnerability in Western Digital My Cloud Home Products and SanDisk ibi",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@wdc.com",
          "ID": "CVE-2022-23006",
          "STATE": "PUBLIC",
          "TITLE": "Buffer Overflow Vulnerability in Western Digital My Cloud Home Products and SanDisk ibi"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "My Cloud Home",
                      "version": {
                        "version_data": [
                          {
                            "platform": "Linux",
                            "version_affected": "\u003c",
                            "version_name": "8.10.0-117",
                            "version_value": "8.10.0-117"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "My Cloud Home Duo",
                      "version": {
                        "version_data": [
                          {
                            "platform": "Linux",
                            "version_affected": "\u003c",
                            "version_name": "8.10.0-117",
                            "version_value": "8.10.0-117"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Western Digital"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ibi",
                      "version": {
                        "version_data": [
                          {
                            "platform": "Linux",
                            "version_affected": "\u003c",
                            "version_name": "8.10.0-117",
                            "version_value": "8.10.0-117"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SanDisk"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 1.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-121 Stack-based Buffer Overflow"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://nvd.nist.gov/vuln/detail/CVE-2022-23006",
              "refsource": "MISC",
              "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23006"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Your device will be automatically updated to the latest firmware version."
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
    "assignerShortName": "WDC PSIRT",
    "cveId": "CVE-2022-23006",
    "datePublished": "2022-09-27T13:53:29.000Z",
    "dateReserved": "2022-01-10T00:00:00.000Z",
    "dateUpdated": "2025-05-21T15:09:24.355Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-88804

CVE-2022-23006 (GCVE-0-2022-23006)

Tags

Sightings

Nomenclature