Western Digital’s EdgeRover desktop application for Windows and Mac is vulnerable to local elevation of privilege and sandboxing escape bugs that could allow sensitive information disclosure or denial of service (DoS) attacks.
EdgeRover is a centralized content management solution for Western Digital and SanDisk products, unifying multiple digital storage devices under a single management interface.
It is a proprietary software solution aimed at increasing usability and convenience, providing powerful options for content search, filtering, categorization, privacy settings, collection creation, duplicate detection, etc. .
Considering Western Digital is one of the most successful manufacturers and retailers of digital storage products in the world, there are likely to be a significant number of people using EdgeRover for data management.
A data exposure problem
The vulnerability, identified as CVE-2022-22998, is a directory traversal bug, allowing unauthorized access to restricted directories and files. The vulnerability received a CVSS v3 severity rating of 9.1, categorizing the flaw as critical.
Western Digital’s brief advisory doesn’t provide many details regarding the vulnerability, so it’s unclear whether it’s a DLL hijacking bug that allows local elevation of privilege or a bug that allows local escalation. access to non-privileged data locations.
However, Western Digital is advising customers to update their EdgeRover desktop applications to version 1.5.1-594 or later released last week to address these vulnerabilities.
The flaw was discovered by threat researcher Xavier Danest, who responsibly disclosed it to the vendor.
Western Digital addressed the security issue by fixing file and directory permissions to prevent unauthorized access and modification.
It’s unclear if the vulnerability has been actively exploited, Bleeping Computer has contacted the hardware giant to ask for more details.
It should be noted that for a malicious actor to use this vulnerability to steal your data, chances are your system has already been compromised in some way.
Media collection management apps might sound appealing, especially to users who need to organize multiple terabytes of data from various sources. However, it should be remembered that each app comes with its own set of security and privacy risks.
In this case, it’s convenience over security, as CVE-2022-22998 could potentially lead to the exposure of all private media and user data collection.
If this scenario worries you, we suggest that you stick with the default file manager that comes with your operating system and keep the number of third-party apps on your system to a minimum.
