Finding Netatalk instances

(updated ), by Pearce Barry

A critical vulnerability in the Netatalk open source file server software was found in some popular network attached storage (NAS) devices. Netatalk provides services for the deprecated AFP (Apple Filing Protocol, formerly known as Appletalk Filing Protocol), and runs on a number of operating systems including Linux, FreeBSD, OpenBSD, NetBSD, and Solaris.

What is the impact of Mooncake? #

Researchers with NCC’s Exploit Development Group discovered and disclosed this vulnerability, which has been assigned CVE-2022-23121 and dubbed “Mooncake”. It does require a writable file share for exploitation but does not require authentication, yielding root-level remote code execution. The report identified some popular NAS devices, including products in Western Digital’s MyCloud line, as running vulnerable versions of Netatalk in their distributed firmware.

Are updates available for the vulnerability? #

Multiple vendors have made patches available to address the vulnerability. Project maintainers of Netatalk released version 3.1.13, which also included a number of other vulnerability fixes for “critical” and “high” scored CVEs. Users should either upgrade to this new release or consider disabling/removing Netatalk altogether in favor of SMB or NFS for network file shares. (Apple themselves no longer support AFP.) Western Digital also released updated firmware (v5.19.117) for affected devices, which removes Netatalk altogether from their firmware (and patched a number of other vulnerabilities). Western Digital recommends users upgrade to the latest firmware release and switch over to using SMB for network file sharing.

Synology NAS appliance and QNAP may be vulnerable #

On April 28, 2022, Synology announced that some of their network-attached storage (NAS) appliances may be exposed to attacks exploiting Netatalk vulnerabilities. In addition to CVE-2022-23121 , Synology called out three vulnerabilities CVE-2022-23125, CVE-2022-23122, CVE-2022-0194 that allow attackers to run arbitrary code remotely on unpatched systems. Another NAS appliance maker, QNAP, also urged their customers to disable AFP until they’re able to resolve the Netatalk vulnerabilities.

Security updates for some of the impacted products may not be available yet. Affected customers are advised to check for updates frequently and apply them as soon as they are available.

How do I find potentially vulnerable Netatalk instances with runZero? #

From the Asset Inventory, use the following pre-built query to locate assets within your network that could be running vulnerable versions of Netatalk:

port:548 AND (type:nas OR hw:"Western Digital")
Netatalk prebuilt query is available in the Queries Library

This query will surface NAS and Western Digital assets which appear to be running an AFP service, providing a starting point for additional investigation and triage.

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding potentially vulnerable Netatalk instances?

Get started
Learn more about runZero
Pearce Barry
Written by Pearce Barry

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.

Similar Content

September 29, 2023

How to find WS_FTP Server instances?

How to find WS_FTP Server instances? # On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, …

Read More

September 26, 2023

How to find TeamCity instances

How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …

Read More

September 12, 2023

How to find OpenSSL 1.1 instances

How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …

Read More