Western Digital has pushed a new firmware update for its My Cloud OS, fixing a high- severity vulnerability that was discovered during a recent hacking contest.
As reported by BleepingComputer, cybersecurity experts from the NCC Group exploited a flaw in Netatalk Service, an open-source implementation of the Apple Filing Protocol (AFP) that allows for Unix-like operating systems to serve as file servers for macOS clients.
The flaw, now tracked as CVE-2022-23121, carries a severity score of 9.8/10, as it allows threat actors to run any code on the target endpoint (opens in new tab), without authentication.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
“The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries,” the Zero Day Initiative advisory (opens in new tab) reads. “An attacker can leverage this vulnerability to execute code in the context of root.”
As a result, Western Digital pulled the Netatalk service completely from the My Cloud OS, starting with firmware version 5.19.117, and has advised all WD NAS users to update their endpoints to this version.
These are the devices considered vulnerable to the exploit:
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX2 Ultra
- My Cloud EX 4100
- My Cloud Mirror Gen 2
- My Cloud EX2100
- My Cloud DL2100
- My Cloud DL4100
> Western Digital desktop app exposes Windows and macOS users to attack (opens in new tab)
> WD My Cloud NAS boxes can be hacked over the internet, claim researchers (opens in new tab)
> Western Digital admits it throttled write speeds with flash memory change (opens in new tab)
WD NAS users who decide to update their devices to the latest version can no longer use the Netatalk service, but can continue accessing network shares via SMB.
The Netatalk development team didn’t sit idly, however. After the remote code execution bug was exploited in the contest, they pushed an update fixing CVE-2022-23121 and a number of other known vulnerabilities, some of which was classified as critical.
- These are the best cloud storage right now
Via BleepingComputer (opens in new tab)