Headline
CVE-2022-22995: WDC-22005 Netatalk Security Vulnerabilities | Western Digital
The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.
WDC Tracking Number: WDC-22005
Published: March 24, 2022
Last Updated: March 24, 2022
Description
Netatalk is an open-source Apple File Protocol fileserver that was being used by Western Digital products to access network shares and perform Time Machine backups. Multiple critical vulnerabilities have been discovered in Netatalk. Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022. Users can continue to access local network shares and perform Time Machine backup via SMB. For additional information, please refer to this KBA.
To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.
Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.19.117
January 10, 2022
My Cloud PR4100
5.19.117
January 10, 2022
My Cloud EX4100
5.19.117
January 10, 2022
My Cloud EX2 Ultra
5.19.117
January 10, 2022
My Cloud Mirror Gen 2
5.19.117
January 10, 2022
My Cloud DL2100
5.19.117
January 10, 2022
My Cloud DL4100
5.19.117
January 10, 2022
My Cloud EX2100
5.19.117
January 10, 2022
My Cloud
5.19.117
January 10, 2022
WD Cloud
5.19.117
January 10, 2022
My Cloud Home
7.16-220
January 10, 2022
Advisory Summary
A stack-based buffer overflow vulnerability was discovered within the ad_addcomment function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.
CVE Number: CVE-2022-0194
Reported By: Theori (@theori_io) working with Trend Micro’s Zero Day Initiative
An improper handling of exceptional conditions issue was found in the parse_entries function that did not properly handle parsing AppleDouble entries. This vulnerability could allow a remote attacker to carry out an unauthenticated remote command execution on affected versions of Netatalk.
CVE Number: CVE-2022-23121
Reporteb By: NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) working with Trend Micro’s Zero Day Initiative
A stack-based buffer overflow vulnerability was discovered within the setfilparams function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.
CVE Number: CVE-2022-23122
Reported By: Orange Tsai (@orange_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative
An out-of-bounds read information disclosure vulnerability was discovered in the getdirparams method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.
CVE Number: CVE-2022-23123
Reported By: Orange Tsai (@orange_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative
An out-of-bounds read information disclosure vulnerability was discovered in the get_finderinfo method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.
CVE Number: CVE-2022-23124
Reported By: Theori (@theori_io) working with Trend Micro’s Zero Day Initiative
A stack-based buffer overflow vulnerability was discovered within the copyapplfile function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.
CVE Number: CVE-2022-23125
Reported By: Theori (@theori_io) working with Trend Micro’s Zero Day Initiative
The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.
CVE Number: CVE-2022-22995
Reported By: Corentin BAYET (@OnlyTheDuck), Etienne HELLUY-LAFONT and Luca MORO (@johncool__) from Synacktiv working with Trend Micro’s Zero Day Initiative