Western Digital has addressed a high severity flaw that allowed attackers to take control of unpatched My Cloud OS 5 devices and execute code with root capabilities remotely. This weakness is an out-of-bounds heap read/write (dubbed CVE-2021-44142) in the Samba vfs_fruit VFS module. Unauthenticated threat actors can use it to launch low-complexity attacks against My Cloud devices running susceptible firmware versions.
“This specific flaw exists within the parsing of extended attributes (EA) metadata when opening a file in smbd,” explained the data storage company. “This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes.”
The Samba Team explained that while default settings are vulnerable to attacks, threat actors require to write access to a file’s extended attributes (which might be a guest or unauthenticated user if write access to file extended attributes is granted). In My Cloud OS 5 Firmware 5.21.104, published on March 23, 2022, Western Digital resolved the issue by removing the “fruit” VFS module from the list of specified VFS objects and altering EA support configurations.
According to the American hard disc drive maker, customers should upgrade their devices to the current software as soon as feasible. The following devices are known to be susceptible to CVE-2021-44142 attacks:
- My Cloud
- WD Cloud
- My Cloud DL2100
- My Cloud DL4100
- My Cloud EX2100
- My Cloud EX4100
- My Cloud EX2 Ultra
- My Cloud Mirror Gen 2
- My Cloud PR2100
- My Cloud PR4100
Earlier this week, Western Digital patched another severe vulnerability in the open-source Netatalk Apple File Protocol fileserver, which is used to access network shares and execute Time Machine backups. The problem was fixed with the 5.19.117 firmware upgrade by deprecating the Netatalk service and removing it from My Cloud OS.
The Netatalk service will no longer be accessible after updating the firmware to the current version. However, users of My Cloud devices can set them to access network shares through SMB (information on how to do so can be found on this support page).