Western Digital has recently addressed a critical security vulnerability affecting its My Cloud OS 5 NAS devices. Exploiting the bug allows an unauthenticated attacker to gain root access to the target devices. It can further pave the way for remote code execution.
A Samba Bug Affecting My Cloud OS 5 Devices
According to a recent advisory from Western Digital, a serious security vulnerability affects My Cloud OS 5 NAS devices. As revealed, the devices are affected by a Samba heap out-of-bounds read/write vulnerability that allows remote code execution. This vulnerability typically affects Samba versions using VFS module vfs_fruit, which includes all versions before 4.13.17.
Briefly, Samba is a free SMB networking protocol software re-implementation that integrates with Microsoft Windows servers. The software can also run on Linux, Solaris, and other Unix-based systems, alongside macOS server and client.
This critical Samba vulnerability (CVE-2021-44142; CVSS 9.9) caught attention earlier this year. Disclosing the bug details, Samba stated in its advisory,
The specific flaw exists within the parsing of EA metadata when opening files in smbd… The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file.
Exploiting this vulnerability could allow an unauthenticated remote adversary to execute codes on the target device. Anyone with read/write access to the file’s extended attributes could exploit the flaw.
At that time, the vendors also released the fixes with Samba 4.13.17, 4.14.12, and 4.15.5.
And now, Western Digital, the American computer hard disk, and data storage firm, has disclosed the same vulnerability affecting its NAS devices. Specifically, the affected devices include,
- My Cloud DL2100
- My Cloud DL4100
- My Cloud EX2100
- My Cloud
- WD Cloud
- My Cloud PR2100
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX4100
- My Cloud EX2 Ultra
- My Cloud Mirror Gen 2
Nonetheless, the tech giant has already addressed the matter with the release of My Cloud OS 5 Firmware version 5.21.104. This version is available for all the above-mentioned products. Thus, users can simply update their devices’ firmware to receive the fix.