CVE-2019-9949

Name of the Vulnerable Software and Affected Versions Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, EX4100, DL2100, DL4100, PR2100 and PR4100 versions prior to 2.31.183

Description The issue allows for code execution as root, starting from a low-privilege user session. This occurs due to the cgi-bin/webfile mgr.cgi file permitting arbitrary file write by exploiting symlinks. The vulnerability can be triggered by uploading a tar archive containing a symbolic link, followed by uploading another archive that writes a file to the link using the cgi untar command. The name parameter passed to the cgi unzip command is not sanitized, leading to code execution.

Recommendations For Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, EX4100, DL2100, DL4100, PR2100 and PR4100 versions prior to 2.31.183, update to firmware version 2.31.183 or later to resolve the issue. As a temporary workaround, consider restricting access to the cgi-bin/webfile mgr.cgi file and the cgi untar command to minimize the risk of exploitation. Avoid using the name parameter in the cgi unzip command until the issue is resolved.