Security News > 2022 > March > Western Digital My Cloud OS update fixes critical vulnerability

Western Digital My Cloud OS update fixes critical vulnerability
2022-03-24 21:47

Western Digital has released new My Cloud OS firmware to fix a vulnerability exploited by bug hunters during the Pwn2Own 2021 hacking competition to achieve remote code execution.

The flaw, tracked as CVE-2022-23121, was exploited by the NCC Group's EDG team members and relied on the open-source service named "Netatalk Service" that was included in My Cloud OS. The vulnerability, which has a CVSS v3 severity score of 9.8, allows remote attackers to execute arbitrary code on the target device, in this case, WD PR4100 NAS, without requiring authentication.

To make matters worse, Western Digital PR4100 had a public AFP share by default, which was available to the hackers without requiring user authentication.

In addition to CVE-2022-23121, the new version of Netatalk fixes six other vulnerabilities, some of which are also critical RCEs.

Western Digital decided to deprecate the service and remove it from My Cloud OS altogether in firmware update 5.19.117, so users of WD NAS devices are advised to upgrade to that version or later.

The devices supported by this version are listed below, and since all used the exploitable Netatalk service, they are all considered vulnerable.


News URL

https://www.bleepingcomputer.com/news/security/western-digital-my-cloud-os-update-fixes-critical-vulnerability/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-03-28 CVE-2022-23121 Improper Handling of Exceptional Conditions vulnerability in multiple products
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk.
network
low complexity
netatalk debian CWE-755
critical
 9.8
9.8