Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

“I’m totally screwed.” WD My Book Live users wake up to find their data deleted

Featured Replies

We might see an influx of new users.

Brace for impact.   :D 

After the qnap ransomware attack another thing that smells like a breach...this is why backups should be offline :P

 

Quote

"Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands"
https://nvd.nist.gov/vuln/detail/CVE-2018-18472

🙈

 

WD response:

Quote

The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012. These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle. We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.

Western Digital takes the security of our customers’ data seriously, and we provide security updates for our products to address issues from both external reports and regular security audits. Additionally, we welcome the opportunity to work with members of the security research community through responsible disclosure to help protect our users. Users who wish to find the latest security update for their Western Digital device may do so on our support portal at https://support.wdc.com. Security researchers who wish to contact Western Digital can find contact information as well as a PGP key at https://www.wdc.com/security/reporting.html.

 🙈 🙈 🙈 🙈 🙈

 

For such a severe vulnerability one should always provide patches.....

Edited by ghost82

  • Author
On 6/25/2021 at 2:05 PM, ChatNoir said:

We might see an influx of new users.

Brace for impact.   :D 

Doubt that - they are a different kind of a customer.

A more likely outcome for most of them would be to move onto Synology, Qnap or just a replacement external.

  • Author
8 hours ago, SpencerJ said:

Schrader’s guess at what happened at Western Digital is that “someone had the idea to centralize all the authentication into a single file and forgot to remove all line-disabling comments from the code before releasing it,” he said via email.

That this is used in an exploit about two month later is a surprise, but only because it took that long.

What kind of QA is done at Western Digital?""

😲

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.