Western Digital My Cloud OS update fixes critical vulnerability

From bleepingcomputer.com

Western Digital

Western Digital has released new My Cloud OS firmware to fix a vulnerability exploited by bug hunters during the Pwn2Own 2021 hacking competition to achieve remote code execution.

The flaw, tracked as CVE-2022-23121, was exploited by the NCC Group’s EDG team members and relied on the open-source service named “Netatalk Service” that was included in My Cloud OS.

The vulnerability, which has a CVSS v3 severity score of 9.8, allows remote attackers to execute arbitrary code on the target device, in this case, WD PR4100 NAS, without requiring authentication.

Read more…