Western Digital customers urged to update to latest version of My Cloud OS

Experts found a flaw that allowed for remote code execution

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Western Digital has pushed a new firmware update for its My Cloud OS, fixing a high- severity vulnerability that was discovered during a recent hacking contest.

As reported byBleepingComputer, cybersecurity experts from the NCC Group exploited a flaw in Netatalk Service, an open-source implementation of theAppleFiling Protocol (AFP) that allows for Unix-likeoperating systemsto serve as fileserversfor macOS clients.

The flaw, now tracked as CVE-2022-23121, carries a severity score of 9.8/10, as it allows threat actors to run any code on the targetendpoint, without authentication.

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.

Click here to start the survey in a new window«

Removing Netatalk

“The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries,” theZero Day Initiative advisoryreads. “An attacker can leverage this vulnerability to execute code in the context of root.”

As a result, Western Digital pulled the Netatalk service completely from the My Cloud OS, starting with firmware version 5.19.117, and has advised all WDNASusers to update their endpoints to this version.

These are the devices considered vulnerable to the exploit:

Western Digital desktop app exposes Windows and macOS users to attack>WD My Cloud NAS boxes can be hacked over the internet, claim researchers>Western Digital admits it throttled write speeds with flash memory change

WD NAS users who decide to update their devices to the latest version can no longer use the Netatalk service, but can continue accessing network shares via SMB.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The Netatalk development team didn’t sit idly, however. After the remote code execution bug was exploited in the contest, they pushed an update fixing CVE-2022-23121 and a number of other known vulnerabilities, some of which was classified as critical.

ViaBleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time