Western Digital’s response at the time was that the affected devices were no longer supported and that customers should avoid connecting them to the Internet.
In some ways, it’s remarkable that it took this long for vulnerable MyBook devices to be attacked: The 2018 Wizcase writeup on the flaw includes proof-of-concept code that lets anyone run commands on the devices as the all-powerful “root” user. The NVD’s advisory credits VPN reviewer with reporting the bug to Western Digital three years ago, back in June 2018.
“It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,” NVD wrote.Įxamine the CVE attached to this flaw and you’ll notice it was issued in 2018. The NVD writeup says Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug. Western Digital’s brief advisory includes a link to an entry in the National Vulnerability Database for CVE-2018-18472. We are actively investigating the issue and will provide an updated advisory when we have more information.”
We understand that our customers’ data is very important.
The My Book Live and My Book Live Duo devices received its final firmware update in 2015. “In some cases, this compromise has led to a factory reset that appears to erase all data on the device. “Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said in a statement June 24. One of many similar complaints on Western Digital’s user forum.Įarlier this week, Bleeping Computer and Ars Technica pointed to a heated discussion thread on Western Digital’s user forum where many customers complained of finding their MyBook Live and MyBook Live Duo devices completely wiped of their data.
0 kommentar(er)
