Synology, QNAP and Western Digital (WD) have warned their customers about several critical Netatalk vulnerabilities that have been exploited at a recent hacking contest.
The vulnerabilities were disclosed at the Zero Day Initiative’s Pwn2Own Austin contest in November 2021, where participants earned more than $1 million for hacking routers, printers, smart spears, smartphones and network-attached storage (NAS) devices. The NAS exploits at Pwn2Own targeted WD devices, and they earned participants roughly $500,000.
It turns out that at least half a dozen of the NAS vulnerabilities exploited at Pwn2Own affected Netatalk, the open source Apple Filing Protocol (AFP) file server.
The flaws, many of which can be exploited remotely and without authentication for arbitrary code execution, can allow an attacker to take complete control of the targeted device.
Netatalk developers delivered patches for seven vulnerabilities on March 22 with the release of version 3.1.13. The flaws are tracked as CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194.
However, the previous Netatalk update was released in December 2018 and many assumed the project was no longer maintained. This includes WD, which in January released firmware updates for its My Cloud storage devices to remove Netatalk. WD products use Netatalk to “access network shares and perform Time Machine backups.”
After Netatalk developers released the update that patches the vulnerabilities disclosed at Pwn2Own, QNAP determined that some of its own NAS products are also affected. The company informed customers on April 25 that it has already started releasing QTS operating system updates to address the security holes. In the meantime, customers have been advised to disable AFP.
Synology has determined that the Netatalk vulnerabilities affect its DiskStation Manager (DSM) and Synology Router Manager (SRM) products. A patch is already available for DSM 7.1 and fixes are being developed for the other impacted products and versions.
ZDI published advisories for each of the Netatalk vulnerabilities disclosed at Pwn2Own on March 23.
While currently there do not appear to be any reports of attacks exploiting these vulnerabilities, it’s not uncommon for cybercriminals to target NAS devices, often delivering file-encrypting ransomware and instructing victims to pay a ransom to recover their files.