CVE-2023-22813 : Security Advisory and Response
A vulnerability in Western Digital & SanDisk apps allows remote attackers to access device info through permissive CORS policy. Learn more about CVE-2023-22813.
A device API endpoint was found to be missing access controls on various Western Digital and SanDisk mobile and web applications, potentially allowing a remote attacker to access device information by exploiting a permissive CORS policy and missing authentication requirements.
Understanding CVE-2023-22813
This CVE highlights a vulnerability in several mobile and web applications developed by Western Digital and SanDisk. The flaw could be exploited by a remote attacker within the same network to obtain sensitive device information.
What is CVE-2023-22813?
The vulnerability stems from a lack of access controls on the device API endpoint used by Western Digital My Cloud OS 5 Mobile App, My Cloud Home Mobile App, ibi Mobile App, My Cloud OS 5 Web App, My Cloud Home Web App, and ibi Web App. Due to this oversight, an attacker could trick a user into visiting a malicious server and issue a cross-site request, leading to the unauthorized access of device data.
The Impact of CVE-2023-22813
The impact of this vulnerability is rated as low severity. While the attack complexity is low and privileges are not required, user interaction is necessary for exploitation. The confidentiality impact is low, with no integrity impact and no effect on availability.
Technical Details of CVE-2023-22813
This section provides more insight into the vulnerability, including its description, affected systems, and exploitation mechanism.
Vulnerability Description
The vulnerability arises from the absence of access controls on the device API endpoint, enabling attackers to retrieve device information through a crafted request.
Affected Systems and Versions
- My Cloud OS 5 Mobile App: versions before 4.21.0
- My Cloud Home Mobile App: versions before 4.21.0
- ibi Mobile App: versions before 4.21.0
- My Cloud OS 5 Web App: versions before 4.26.0-6126
- My Cloud Home Web App: versions before 4.26.0-6126
- ibi Web App: versions before 4.26.0-6126
Exploitation Mechanism
The vulnerability can be exploited by an attacker on the same network as the targeted device. By convincing a user to visit a malicious server, the attacker can initiate a cross-site request to access sensitive device information.
Mitigation and Prevention
To address CVE-2023-22813, immediate steps, long-term security practices, and patching and updates are recommended.
Immediate Steps to Take
Users of the affected mobile apps should promptly update to versions that address the vulnerability. Web apps have been automatically updated to mitigate the risk.
Long-Term Security Practices
Regularly updating applications, maintaining network security, and educating users on safe browsing practices can enhance overall security posture.
Patching and Updates
Ensuring that all software and applications are up to date with the latest security patches is crucial in preventing exploitation of known vulnerabilities.
Remember to stay informed about security updates from Western Digital and SanDisk to protect against potential threats.