Proprietary File Explorer app had directory traversal bug, storage provider says
Western Digital fixed a bug in its software that allowed attackers to access restricted files.
The security flaw resided in EdgeRover, which is a proprietary application of WD File Explorer, and affects both the Mac and Windows version of the software.
Both versions of the product suffer from a directory traversal vulnerability. An attacker can elevate their local privileges and evade basic file system sandboxing, the company said in an advisory.
“These vulnerabilities, when successfully exploited, could lead to the disclosure of sensitive information or a denial of service,” the company said.
Western Digital has logged the bug as CVE-2022-22988. It has a vulnerability score of 9.1 and is classified as critical.
Although the bug could allow access to restricted files, an attacker would have to have already compromised the machine to exploit this bug.
The company fixed the flaw by modifying file and directory permissions, limiting the folders from which files can be loaded. Customers should upgrade to version 188.8.131.524 of the application on both Mac and Windows machines to resolve the issue.
EdgeRover allows users to create inventory and snapshots of all files stored on their computer and external drives. The product allows users to search through all of their files, including media that is not currently connected. The search function also includes image and document previews.
EdgeRover has suffered from security bugs in the past. In December 2021, Western Digital reported two vulnerabilities in Mac and Windows versions of the app. The bugs, which resided in its OpenSSL library, allowed a denial of service attack and a remote code execution attack on the system. The company fixed these issues by updating its OpenSSL library.
Another bug in the Windows version, patched last May, allowed users to elevate privileges and upload malicious content to restricted directories. This bug resided in the company’s implementation of Node.js.
© Dennis Publishing