Western Digital users EdgeRover app for Windows and Mac, it is advisable to download an updated version to avoid a security vulnerability that could allow an attacker to gain unauthorized access to directories and files.
The flaw, which was given the CVE ID number CVE-2022-22988, carries a CVSS (Common Vulnerability Scoring System) severity rating of 9.1, making it a critical weakness. It has now been resolved, however, with a change to how EdgeRover handles file and directory permissions.
According to Western Digital, the flaw meant that EdgeRover was subject to a directory traversal vulnerability, which could have allowed an attacker to perform local elevation of privilege and bypass file system sandboxing. If successfully exploited, it could lead to the disclosure of sensitive information or even a potential denial of service attack, the company said.
Western Digital released a notification on its support site advising users of both Windows and Mac versions of the EdgeRover desktop app to ensure they are running at least version 1.5.1-594 in order to have the fix for this issue .
The EdgeRover app is designed to provide users with a single view of their content, which can be spread across multiple storage devices and cloud storage services. EdgeRover creates a searchable and navigable catalog of all content, and also provides tools to manage supported Western Digital and SanDisk storage devices.
In particular, EdgeRover is capable of altering vital settings on supported Western Digital and SanDisk devices, including the ability to set passwords, delete content, and rename devices, which would give an attacker a great leeway to cause harm.
This isn’t the first security patch for EdgeRover coming this year. In January, the firm advised users to download an updated version to address multiple vulnerabilities, but in this case, the vulnerabilities were due to an open-source tool, the FFmpeg multimedia framework, used by EdgeRover.
With this vulnerability, an exploit could have caused a denial of service or allowed an attacker to execute code presenting malformed files or streams to process. This vulnerability also carried a CVSS severity rating of 9.1. ®