PT-2019-15722 · Western Digital · Libscheddl.So+1
Delspon
+1
·
Published
2019-11-13
·
Updated
2019-11-15
·
CVE-2019-18930
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Western Digital My Cloud EX2 Ultra firmware version 2.31.183
Description
The issue allows remote execution of arbitrary code via a stack-based buffer overflow. This is possible due to the lack of size verification logic in one of the functions in libscheddl.so. The download mgr.cgi endpoint makes it possible to enter large-sized
f idx inputs, which can be exploited.Recommendations
For Western Digital My Cloud EX2 Ultra firmware version 2.31.183, consider disabling the download mgr.cgi endpoint until a patch is available to prevent exploitation. Additionally, restricting access to the libscheddl.so library may help minimize the risk.
Exploit
Fix
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Western Digital My Cloud Ex2 Ultra
Libscheddl.So