Western Digital

Western Digital has released new My Cloud OS firmware to fix a vulnerability exploited by bug hunters during the Pwn2Own 2021 hacking competition to achieve remote code execution.

The flaw, tracked as CVE-2022-23121, was exploited by the NCC Group’s EDG team members and relied on the open-source service named “Netatalk Service” that was included in My Cloud OS.

The vulnerability, which has a CVSS v3 severity score of 9.8, allows remote attackers to execute arbitrary code on the target device, in this case, WD PR4100 NAS, without requiring authentication.

“The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries,” explains the Zero Day Initiative advisory.

“An attacker can leverage this vulnerability to execute code in the context of root.”

Vulnerability in Netatalk service

Netatalk is a free and open-source implementation of the Apple Filing Protocol (AFP), allowing Unix-like OSes to serve as file servers for macOS clients.

The version used by WD in some of their NAS devices was released back in December 2018, a typical case of a semi-abandoned open source project that already had other known exploitable flaws at the time of the hacking contest.

To make matters worse, Western Digital PR4100 had a public AFP share by default, which was available to the hackers without requiring user authentication.

The group used this public share to reach various post-authentication handlers, speeding up and easing their cracking efforts.

After its leverage for RCE in the recent Pwn2Own, the Netatalk development team released version 3.1.13 of the software to fix security bugs.

In addition to CVE-2022-23121, the new version of Netatalk fixes six other vulnerabilities, some of which are also critical (9.8) RCEs.

As such, all software developers using the particular open-source tool are advised to install the latest version of the service.

Western Digital pulls Netatalk

Western Digital decided to deprecate the service and remove it from My Cloud OS altogether in firmware update 5.19.117, so users of WD NAS devices are advised to upgrade to that version or later.

The devices supported by this version are listed below, and since all used the exploitable Netatalk service, they are all considered vulnerable.

  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX 4100
  • My Cloud Mirror Gen 2
  • My Cloud EX2100
  • My Cloud DL2100
  • My Cloud DL4100

After upgrading to the latest firmware version, the Netatalk service will no longer be available, but you may continue to access network shares via SMB. For more info on how to do that, please refer to this support page.

Related Articles:

QNAP QTS zero-day in Share feature gets public RCE exploit

Widely used modems in industrial IoT devices open to SMS attack

Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw

HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks