Synology, QNAP and Western Digital (WD) have warned their customers about several critical Netatalk vulnerabilities that were exploited in a recent hacking competition.
The vulnerabilities were exposed at the Zero Day Initiative’s Pwn2Own Austin contest in November 2021, where participants raised more than $1 million to hack routers, printers, smart spears, smartphones, and network-attached storage (NAS) devices. earned. The NAS exploits at Pwn2Own targeted WD devices and netted participants around $500,000.
It turned out that at least half a dozen of the NAS vulnerabilities exploited by Pwn2Own affected Netatalk, the open-source Apple Filing Protocol (AFP) file server.
The vulnerabilities, many of which can be exploited remotely and without authentication to execute arbitrary code, could allow an attacker to take complete control of the target device.
Netatalk developers patched seven vulnerabilities with the release of version 3.1.13 on March 22nd. The bugs are tracked as CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125, and CVE-2022-0194.
However, the previous Netatalk update was released in December 2018 and many assumed the project was no longer maintained. That includes WD, which released firmware updates for its My Cloud storage devices in January to remove Netatalk. WD products use Netatalk to “access network shares and perform Time Machine backups.”
After Netatalk developers released the update that fixes the vulnerabilities disclosed in Pwn2Own, QNAP found that some of its own NAS products are also affected. The company informed its customers on April 25 that it had already started releasing updates to the QTS operating system to fix the security vulnerabilities. Meanwhile, customers have been advised to disable AFP.
Synology has determined that Netatalk’s vulnerabilities affect its DiskStation Manager (DSM) and Synology Router Manager (SRM) products. A patch is already available for DSM 7.1 and fixes are being developed for the other affected products and versions.
On March 23rd, ZDI published advisories for each of the Netatalk vulnerabilities published at Pwn2Own.
Although there don’t seem to be any reports of attacks exploiting these vulnerabilities at this time, it’s not uncommon for cybercriminals to target NAS devices, often delivering file-encrypting ransomware and directing victims to pay a ransom to restore their files.
See Also: Serious Vulnerability Exploited During Hacking Competition Affects Over 200 HP Printers
See also: Deadbolt ransomware targeting Asustor NAS devices
See Also: QNAP Devices Targeted in a New Wave of DeadBolt Ransomware Attacks