WD My Book Live Vulnerability

Joined
Oct 30, 2002
Messages
42,358
Location
Great Lakes
For anyone who owns one of these internet-connected WD storage devices:

Western Digital has determined that Internet-connected My Book Live and My Book Live Duo devices are under attack by exploitation of multiple vulnerabilities present in the device. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.

Initial story was reported here on 6/24:

And a follow-up:

Statement from WD:
 
is it still at risk when connected to the router but none of the cloud features enabled? Only with a local smb share?

Having an TP Link Archer C6 its not as easy to block off internet as I thought it to be - either I can block it completely in a blacklist which means I cannot access it at all anymore - or turn off internet use in the parental controls, which I did for now. The question is: Is that enough?
 
For anyone who owns one of these internet-connected WD storage devices:



Initial story was reported here on 6/24:

And a follow-up:

Statement from WD:

A few key points:

WD said:
The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled. This vulnerability may be exploited to run arbitrary commands with root privileges. Additionally, the My Book Live is vulnerable to an unauthenticated factory reset operation which allows an attacker to factory reset the device without authentication. The unauthenticated factory reset vulnerability been assigned CVE-2021-35941.

And:

WD said:
As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning. The vulnerabilities being exploited in this attack are limited to the My Book Live series, which was introduced to the market in 2010 and received a final firmware update in 2015.

So, this really isn't the "news" that it presents as. Yes, it's awful, no doubt, but the device, without remote access enabled, and not exposed to the internet, wouldn't be vulnerable to the exploit. Unfortunately, automatic port forwarding through mechanisms like UPNP mean that devices like these get exposed to the internet, sometimes even when the person has no need for it, and that allows for these exploits to be utilized.

So Betty sets up her My Book Live, turns on remote access so she can see her kitty pics from the cottage, her Netgear/Linksys/TP Link/D-Link router that has UPNP on from the factory automatically forwards the ports and for 10 years she's using it this way completely oblivious to the gaping security holes present in a product that the OEM hasn't supported since 2015.

I recall chewing on about consumer routers getting abandoned in the same way a while back, gaping holes in their firmware that are never patched.
 
Back
Top