Western Digital My Cloud Multiple Products 5.x < 5.26.202 Multiple Vulnerabilities (WDC-23006, WDC-23009)

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.149702");
  script_version("2023-10-24T05:06:28+0000");
  script_tag(name:"last_modification", value:"2023-10-24 05:06:28 +0000 (Tue, 24 Oct 2023)");
  script_tag(name:"creation_date", value:"2023-05-19 07:45:46 +0000 (Fri, 19 May 2023)");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-07-10 15:25:00 +0000 (Mon, 10 Jul 2023)");

  script_cve_id("CVE-2022-36326", "CVE-2022-36327", "CVE-2022-36328", "CVE-2022-29840",
                "CVE-2023-22814");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Western Digital My Cloud Multiple Products 5.x < 5.26.202 Multiple Vulnerabilities (WDC-23006, WDC-23009)");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("General");
  script_dependencies("gb_wd_mycloud_consolidation.nasl");
  script_mandatory_keys("wd-mycloud/detected");

  script_tag(name:"summary", value:"Multiple Western Digital My Cloud products are prone to
  multiple vulnerabilities.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"The following vulnerabilities exist:

  - CVE-2022-36326: Uncontrolled resource consumption vulnerability that could arise by sending
  crafted requests to a service to consume a large amount of memory, eventually resulting in the
  service being stopped and restarted.

  - CVE-2022-36327: Improper limitation of a pathname to a restricted directory ('Path Traversal')
  vulnerability that could allow an attacker to write files to locations with certain critical
  filesystem types leading to remote code execution.

  - CVE-2022-36328: Improper limitation of a pathname to a restricted directory ('Path Traversal')
  vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories
  and exfiltrate sensitive files, passwords, users and device configurations.

  - CVE-2022-29840: Server-side request forgery (SSRF) vulnerability that could allow a rogue
  server on the local network to modify its URL to point back to the loopback adapter.

  - CVE-2023-22814: Vulnerability in the token-based authentication mechanism that could allow an
  attacker to carry out an impersonation attack.");

  script_tag(name:"affected", value:"Western Digital My Cloud PR2100, My Cloud PR4100, My Cloud
  EX4100, My Cloud EX2 Ultra, My Cloud Mirror Gen 2, My Cloud DL2100, My Cloud DL4100, My Cloud
  EX2100, My Cloud and WD Cloud with firmware prior to version 5.26.202.");

  script_tag(name:"solution", value:"Update to firmware version 5.26.202 or later.");

  script_xref(name:"URL", value:"https://os5releasenotes.mycloud.com/#5.26.202");
  script_xref(name:"URL", value:"https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202");
  script_xref(name:"URL", value:"https://www.westerndigital.com/support/product-security/wdc-23009-western-digital-my-cloud-os-5-my-cloud-home-and-sandisk-ibi-firmware-update");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

cpe_list = make_list("cpe:/o:wdc:wd_cloud_firmware",
                     "cpe:/o:wdc:my_cloud_firmware",
                     "cpe:/o:wdc:my_cloud_mirror_firmware",
                     "cpe:/o:wdc:my_cloud_ex2ultra_firmware",
                     "cpe:/o:wdc:my_cloud_ex2100_firmware",
                     "cpe:/o:wdc:my_cloud_ex4100_firmware",
                     "cpe:/o:wdc:my_cloud_dl2100_firmware",
                     "cpe:/o:wdc:my_cloud_dl4100_firmware",
                     "cpe:/o:wdc:my_cloud_pr2100_firmware",
                     "cpe:/o:wdc:my_cloud_pr4100_firmware");

if (!infos = get_app_version_from_list(cpe_list: cpe_list, nofork: TRUE, version_regex: "^[0-9]+\.[0-9]+\.[0-9]+")) # nb: The HTTP Detection is only able to extract the major release like 2.30
  exit(0);

version = infos["version"];

if (version_in_range_exclusive(version: version, test_version_lo: "5.0", test_version_up: "5.26.202")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "5.26.202");
  security_message(port: 0, data: report);
  exit(0);
}

exit(99);