Security News > 2022 > March > Western Digital My Cloud OS update fixes critical vulnerability
Western Digital has released new My Cloud OS firmware to fix a vulnerability exploited by bug hunters during the Pwn2Own 2021 hacking competition to achieve remote code execution.
The flaw, tracked as CVE-2022-23121, was exploited by the NCC Group's EDG team members and relied on the open-source service named "Netatalk Service" that was included in My Cloud OS. The vulnerability, which has a CVSS v3 severity score of 9.8, allows remote attackers to execute arbitrary code on the target device, in this case, WD PR4100 NAS, without requiring authentication.
To make matters worse, Western Digital PR4100 had a public AFP share by default, which was available to the hackers without requiring user authentication.
In addition to CVE-2022-23121, the new version of Netatalk fixes six other vulnerabilities, some of which are also critical RCEs.
Western Digital decided to deprecate the service and remove it from My Cloud OS altogether in firmware update 5.19.117, so users of WD NAS devices are advised to upgrade to that version or later.
The devices supported by this version are listed below, and since all used the exploitable Netatalk service, they are all considered vulnerable.
News URL
Related news
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems (source)
- New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution (source)
- Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware (source)
- Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk (source)
- Fortinet releases patches for undisclosed critical FortiManager vulnerability (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- FortiManager critical vulnerability under active attack (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-28 | CVE-2022-23121 | Improper Handling of Exceptional Conditions vulnerability in multiple products This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. | 9.8 |