Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Synology, QNAP, WD Warn Users About Vulnerabilities Exploited at Hacking Contest

Synology, QNAP and Western Digital (WD) have warned their customers about several critical Netatalk vulnerabilities that have been exploited at a recent hacking contest.

Synology, QNAP and Western Digital (WD) have warned their customers about several critical Netatalk vulnerabilities that have been exploited at a recent hacking contest.

The vulnerabilities were disclosed at the Zero Day Initiative’s Pwn2Own Austin contest in November 2021, where participants earned more than $1 million for hacking routers, printers, smart spears, smartphones and network-attached storage (NAS) devices. The NAS exploits at Pwn2Own targeted WD devices, and they earned participants roughly $500,000.

It turns out that at least half a dozen of the NAS vulnerabilities exploited at Pwn2Own affected Netatalk, the open source Apple Filing Protocol (AFP) file server.

The flaws, many of which can be exploited remotely and without authentication for arbitrary code execution, can allow an attacker to take complete control of the targeted device.

Netatalk developers delivered patches for seven vulnerabilities on March 22 with the release of version 3.1.13. The flaws are tracked as CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194.

However, the previous Netatalk update was released in December 2018 and many assumed the project was no longer maintained. This includes WD, which in January released firmware updates for its My Cloud storage devices to remove Netatalk. WD products use Netatalk to “access network shares and perform Time Machine backups.”

After Netatalk developers released the update that patches the vulnerabilities disclosed at Pwn2Own, QNAP determined that some of its own NAS products are also affected. The company informed customers on April 25 that it has already started releasing QTS operating system updates to address the security holes. In the meantime, customers have been advised to disable AFP.

Synology has determined that the Netatalk vulnerabilities affect its DiskStation Manager (DSM) and Synology Router Manager (SRM) products. A patch is already available for DSM 7.1 and fixes are being developed for the other impacted products and versions.

Advertisement. Scroll to continue reading.

ZDI published advisories for each of the Netatalk vulnerabilities disclosed at Pwn2Own on March 23.

While currently there do not appear to be any reports of attacks exploiting these vulnerabilities, it’s not uncommon for cybercriminals to target NAS devices, often delivering file-encrypting ransomware and instructing victims to pay a ransom to recover their files.

Related: Serious Vulnerability Exploited at Hacking Contest Impacts Over 200 HP Printers

Related: Deadbolt Ransomware Targeting Asustor NAS Devices

Related: QNAP Devices Targeted in New Wave of DeadBolt Ransomware Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.