Finding Netatalk instances
A critical vulnerability in the Netatalk open source file server software was found in some popular network attached storage (NAS) devices. Netatalk provides services for the deprecated AFP (Apple Filing Protocol, formerly known as Appletalk Filing Protocol), and runs on a number of operating systems including Linux, FreeBSD, OpenBSD, NetBSD, and Solaris.
Researchers with NCC’s Exploit Development Group discovered and disclosed this vulnerability, which has been assigned CVE-2022-23121 and dubbed “Mooncake”. It does require a writable file share for exploitation but does not require authentication, yielding root-level remote code execution. The report identified some popular NAS devices, including products in Western Digital’s MyCloud line, as running vulnerable versions of Netatalk in their distributed firmware.
Multiple vendors have made patches available to address the vulnerability. Project maintainers of Netatalk released version 3.1.13, which also included a number of other vulnerability fixes for “critical” and “high” scored CVEs. Users should either upgrade to this new release or consider disabling/removing Netatalk altogether in favor of SMB or NFS for network file shares. (Apple themselves no longer support AFP.) Western Digital also released updated firmware (v5.19.117) for affected devices, which removes Netatalk altogether from their firmware (and patched a number of other vulnerabilities). Western Digital recommends users upgrade to the latest firmware release and switch over to using SMB for network file sharing.
On April 28, 2022, Synology announced that some of their network-attached storage (NAS) appliances may be exposed to attacks exploiting Netatalk vulnerabilities. In addition to CVE-2022-23121 , Synology called out three vulnerabilities CVE-2022-23125, CVE-2022-23122, CVE-2022-0194 that allow attackers to run arbitrary code remotely on unpatched systems. Another NAS appliance maker, QNAP, also urged their customers to disable AFP until they’re able to resolve the Netatalk vulnerabilities.
Security updates for some of the impacted products may not be available yet. Affected customers are advised to check for updates frequently and apply them as soon as they are available.
port:548 AND (type:nas OR hw:"Western Digital")
This query will surface NAS and Western Digital assets which appear to be running an AFP service, providing a starting point for additional investigation and triage.
Don’t have Rumble and need help finding potentially vulnerable Netatalk instances? Start your Rumble trial today.
May 12, 2022
Wrangling the May 2022 Patch Tuesday
Microsoft recently released security updates for over 70 vulnerabilities, including 3 zero-days and 7 critical vulnerabilities that affect a wide-range of their products and services. The list of patches covers an actively exploited zero-day vulnerability in the Windows …Read More
May 5, 2022
Finding F5 BIG-IP instances
Technology vendor F5 recently published information on over 40 vulnerabilities, mostly affecting their BIG-IP line of products. While these vulnerabilities include a mix of types and severities, a particular authentication bypass vulnerability that can affect all BIG-IP …Read More
March 30, 2022
Finding Kaspersky AV on your Windows endpoints
Late last week, the U.S. Federal Communications Commission announced it had added Russian-based Kaspersky Lab to its Covered List, maintained by the FCC to identify “entities that pose an unacceptable risk to U.S. national security.” This follows a 2017 action by the U.S. …Read More