Pierluigi Paganini March 27, 2022

Western Digital fixed a critical flaw affecting My Cloud OS 5 devices that allowed attackers to gain remote code execution with root privileges.

Western Digital has addressed a critical vulnerability, tracked as CVE-2021-44142, that could have allowed attackers to gain remote code execution with root privileges on unpatched My Cloud OS 5 devices.

The CVE-2021-44142 flaw affects the following devices:

• My Cloud PR2100
• My Cloud PR4100
• My Cloud EX4100
• My Cloud EX2 Ultra
• My Cloud Mirror Gen 2
• My Cloud DL2100
• My Cloud DL4100
• My Cloud EX2100
• My Cloud
• WD Cloud

The CVE-2021-44142 vulnerability is a Samba out-of-bounds heap read/write that impacts the vfs_fruit VFS module when parsing EA metadata when opening files in smbd.

This VFS module is part of the samba suite and provides enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.

“The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.” reads the security advisory for this flaw. “The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.”

The flaw affects all versions of Samba prior to 4.13.17, an attacker can trigger this vulnerability without user interaction. The vulnerability was reported by the security researcher Orange Tsai from DEVCORE.

“This specific flaw exists within the parsing of extended attributes (EA) metadata when opening a file in smbd. This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes.” reads the advisory published by Western Digital. “This vulnerability was addressed by removing the “fruit” VFS module from the list of configured VFS objects and by changing EA support configurations.”

The vulnerability was reported by Nguyen Hoang Thach (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) working with Trend Micro’s Zero Day Initiative.

Western Digital fixed the issue by removing the “fruit” VFS module from the list of configured VFS objects and changing EA support configurations. The company addressed the flaw with the release of My Cloud OS 5 Firmware 5.21.104 on March 23, 2022.

Western Digital also addressed another critical vulnerability in the open-source Netatalk Apple File Protocol fileserver.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BazarLoader)

[adrotate banner=”5″]

[adrotate banner=”13″]