Users of Western Digital’s EdgeRover app for Windows and Mac are advised to download an updated version to avoid a security flaw that might allow an attacker unauthorized access to directories and files.
The flaw, which was given the CVE identification number CVE-2022-22988, carries a Common Vulnerability Scoring System (CVSS) severity rating of 9.1, making it a critical weakness. It has now been addressed, however, with a modification to the way EdgeRover handles file and directory permissions.
According to Western Digital, the flaw meant that EdgeRover was subject to a directory traversal vulnerability, which may have allowed an attacker to carry out a local privilege escalation and bypass file system sandboxing. If successfully exploited, this could lead to the disclosure of sensitive information or even a potential denial-of-service attack, the firm said.
Western Digital posted a notification to its support site informing users of both the Windows and Mac versions of the EdgeRover Desktop App that they need to ensure they are running release version 1.5.1-594 at a minimum in order to have the fix for this issue.
The EdgeRover app is designed to provide users with a single view of their content, which may be spread across multiple storage devices and cloud storage services. EdgeRover creates a searchable and browsable catalog of all content, and also provides tools to manage supported Western Digital and SanDisk storage devices.
In particular, EdgeRover is able to change vital settings on supported Western Digital and SanDisk devices, including the ability to set passwords, delete content, and rename devices, which would allow an attacker plenty of scope to cause mischief.
This is not the first security fix for EdgeRover to come this year. In January, the firm advised users to download an updated release to address multiple vulnerabilities, but in that case these were due to an open-source tool, the FFmpeg multimedia framework, which EdgeRover makes use of.
With that vulnerability, an exploit might have caused a denial of service or allowed an attacker to execute code through the avenue of presenting malformed files or streams to be processed. That vulnerability also carried a CVSS severity rating of 9.1. ®