Western Digital’s EdgeRover desktop app for both Windows and Mac is vulnerable to local privilege escalation and sandboxing escape bugs that allow the disclosure of sensitive information or denial of service (DoS) attacks.
EdgeRover is a centralized content management solution for Western Digital and SanDisk products that unites multiple digital storage devices under a single management interface.
It is a proprietary software solution aimed at increasing usability and comfort, with powerful search capabilities, filtering, categorization options, privacy settings, collection creation, duplicate detection and more.
Since Western Digital is one of the world’s most successful manufacturers and retailers of digital storage products, there is likely a significant number of people using EdgeRover for data management.
A problem that exposes data
The vulnerability, tracked as CVE-2022-22998, is a directory traversal bug, allowing unauthorized access to restricted directories and files. The vulnerability has been given a CVSS v3 severity rating of 9.1, which categorizes the flaw as critical.
Western Digital’s brief advisory doesn’t provide much detail about the vulnerability, so it’s not clear whether it’s a DLL hijacking bug that allows local privileges or a bug that allows access to unauthorized data locations.
However, Western Digital advises its customers to update their EdgeRover desktop applications to version 1.5.1-594 or later, which was released last week to address these vulnerabilities.
The flaw was discovered by threat researcher Xavier Danest, who responsibly disclosed it to the supplier.
Western Digital addressed the security issue by correcting file and directory permissions to prevent unauthorized access and modification.
It is unclear whether the vulnerability has been actively exploited, but Bleeping Computer has contacted the hardware giant to request more details.
It should be noted that if a threat actor uses this vulnerability to steal your data, it is likely that your system has already been compromised in some way.
Media collection management apps can seem appealing, especially to users who need to organize multiple terabytes of data from different sources. Still, keep in mind that every app comes with its own security and privacy risks.
Users are concerned about privacy implications of using EdgeRover (Western Digital)
In this case, it’s convenience versus security, as CVE-2022-22998 could potentially lead to the exposure of the users’ entire private media and data collection.
If you are concerned about this scenario, we recommend that you use the default file manager that comes with your operating system and keep the number of third-party apps on your system to a minimum.
This post Bug in Western Digital app gives elevated privileges in Windows, macOS
was original published at “https://www.bleepingcomputer.com/news/security/western-digital-app-bug-gives-elevated-privileges-in-windows-macos/”
