Western Digital has released a new version of My Cloud OS that fixes a vulnerability that was previously exploited for remote code execution during the Pwn2Own 2021 hacker competition.
The vulnerability, which received the identifier CVE-2022-23121, was used by members of the NCC Group EDG team and exploited the Netatalk open source service, which was part of the My Cloud OS.On the CVSS scale, this bug is rated 9.8 points out of 10 possible, allowing remote attackers to execute arbitrary code on the target device without authentication (in this case, on the WD PR4100 NAS).
As Zero Day Initiative analysts explain, the problem is related to the operation of the parse_entries function and occurs due to the lack of proper error handling when parsing AppleDouble entries.
Netatalk is a free and open source implementation of the Apple Filing Protocol (AFP) that allows Unix systems to serve as file servers for macOS clients. The version used by WD in some NAS was released back in December 2018, that is, it was a semi-abandoned open source project that previously had other vulnerabilities.
Even worse, the Western Digital PR4100 devices had a public AFP share by default, which was available to any attacker without authentication. As a result, the researchers used this feature to access various handlers, which allowed them to speed up and facilitate hacking.
After the RCE vulnerability and its exploitation were shown on Pwn2Own, the Netatalk development team released version 3.1.13, where the bug was fixed. However, now Western Digital has decided to completely stop supporting this service and remove it from the My Cloud OS, which was done in the latest version 5.19.117. Devices supported by this version are listed below. All of them used problematic versions of Netatalk, that is, all are considered vulnerable.
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX2 Ultra
- My Cloud EX 4100
- My Cloud Mirror Gen 2
- My Cloud EX2100
- My Cloud DL2100
- My Cloud DL4100
Let me remind you that we also wrote that Someone Erases Data from WD My Book Live and Manufacturer Advises Unplugging Devices and that Hackers Erased Data from WD My Book Live Devices through 0-Day Vulnerability.
