Bash vulnerability in My Book Live

WD “My book live” is vulnerable to the latest GNU bash vulnerability CVE-2014-6271

MyBookLive:~# bash --version
GNU bash, version 3.2.39(1)-release (powerpc-unknown-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.
MyBookLive:~# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
busted
stuff

I hope someone in WD team is taking note of this and patching this soon.

1 Like

This doesn’t clarify whether bash is the default shell or not on My Book Live - bash could just be included as an optional shell, just like it is on the My Cloud EX2, and not be the default shell. How do you know that bash is the default shell? Nothing in your snippet tells me that it is. It just shows bash’s version number and then runs the test for the vulnerability (and proves that it is vulnerable). Where is the confirmation that bash is being used as the default shell - that’s what matters. If it’s not the default shell then this is a wild goose chase.

So how would one make sure that it is (not) the default shell?

MyBookLive:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

Bash is the default shell for user logins – but the vulnerability is only exposed if a vector to BASH is available from the outside.

For example, I don’t think that WD Photos or WD My Cloud services are using CGI scripts…  and those are the only accessible functions from the outside that I’m aware of…

It also seems it is only if you are allowing non-auth users… Correct?

The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems include the following:

  • Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
  • Certain DHCP clients
  • OpenSSH servers that use the ForceCommand capability
  • Various network-exposed services that use Bash

We haved passed this along to Support.

Regards,

This thread seems to be the one tracking this issue.

I for one would welcome giving support all the time it needs to resolve this issue and roll out a patch if the My Book Live turns out to be vulnerable.

In the meantime, is there any advice you can give us users to mitigate being compromised? For example, would turning off remote access (settings–>remote access–>remote access–>enable OFF [unticked]) using the dashboard help? I realise this breaks useful functionality for many but it is better to be safe than sorry, right?

Grytr

WD’s My Cloud family of personal cloud products is potentially susceptible to the BASH/ Shellshock vulnerability. WD’s default software configuration and typical deployment for My Cloud devices lowers the risk to this threat. WD takes this threat seriously and is working on a patch to address this issue.

3 Likes

Out of curiosity, I decided to take a small risk and upgrade bash.  Though my device functions properly after the upgrade, the new version I was able to install with apt-get is 4.2.37(1)-release so is still vulnerable.

Bill,  thanks for the feedback,  how will we know when a patch is released?.

I will announce it everywhere.

1 Like

Yes. It is the default shell - at least I have not changed the shell on my MBL.

I tried apt-get upgrade a couple of days ago.

The process ended in an error after downloading some 25 MB of other programs.

So, I am not sure if there is a patch as of today.

Anyone?

Bill_S wrote:

I will announce it everywhere.

Any time soon on this one???

mybookW2 wrote:


Bill_S wrote:

I will announce it everywhere.


Any time soon on this one???

I don’t know. But I’m sure they’re working on it.

Why aren’t there more people expressing their dissatisfaction over WD’s responsiveness to this issue???

All we get from them is “I don’t know” & “I’m sure they’re working on it”.

It has now been 2 months since this issue came into the spotlight and WD’s last comment about this dates to over one month ago.

Take a look at how a competitor to WD (in the Network Attached Storage space) acknowledges this problem and how quickly they came out with a resolution:

Security Bulletins and Advisories

The main vulnerabilities that are involved here (the Bash vulnerabilities, otherwise known as “Shellshock” and “Aftershock”) are CVE-2014-6271 and CVE-2014-7169.  You can see them in QNAP’s list under dates Sept 29, 2014 & Oct 5, 2014.

QNAP has even gone so far as to release a malware remover for their devices:

Protect Your Turbo NAS from Malware – Malware Remover.

I had a sales representative in a computer store the other day describe WD’s NAS solutions as “NAS with Training Wheels”.  I didn’t believe him at first, but after having taken a good hard look at things, I think that WD’s responsiveness in this situation is completely lacking.

I really hope that owners of these devices will educate themselves about this issue.  Here are some articles that I have found which elaborate on the problem and talk about how badly NAS devices have been impacted:

What ‘Shellshock’ means to you and me

The Shellshock Aftershock for NAS Administrators.

It does seem to be taking a very long time to get new firmware out to address this security issue… particularly noting competing similar products [e.g. Buffalo] have fixed it a while back now! I’m losing patience now.

Does anyone have any information, or an indicative timeframe?

Roaming wrote:

particularly noting competing similar products [e.g. Buffalo] have fixed it a while back now! 

They’ve release patches for systems they no longer are supporting?

Tony, yes.

Buffalo has released new firmware that addresses vulnerabilities of Bash programming which allows remote attackers to execute arbitrary commands (CVE-2014-6271 and CVE-2014-7169) - for their current, and older products such as: LS-XHL, LS-CHL, LS-WXL, LS-WSXL, LS-SL, LS-AVL, LS-VL, LS-WVL, LS-QVL, LS-XL, LS-YL, LS-WXBL.

More to the point, the WD the MyBook Live products are not obsolete; they are good units and have plenty of life in them  – and WD has stated it takes the problem seriously and that it is working on a fix. That said, I think owners have a right to feel somewhat let down with the lack of action so far! My affected products will be on eBay pretty soon if it is not fixed – and it would be very unlikely I would consider further WD products in that instance.

It would be good if WD provided further information at this time, unless new firmware to address this security issue is not just about to be released.

Sorry, Roaming, nobody’s going to say anything more until we have something definitive to say.  I have a My Book Live, also, and I’m having to wait just like everyone else. 

Quoting Bill_S, WD Community Manager:

—snip—

“nobody’s going to say anything more until we have something definitive to say”

—snip—

I would think that a responsible vendor would at least offer GUIDANCE  such as:

  1. Turn your My Book Live & My Cloud devices OFF and leave them OFF until we have something definitive to say.
  2. Go into the configuration of your My Book Live & My Cloud devices and at least DISABLE REMOTE ACCESS until we have something definitive to say.
  3. Move your My Book Live & My Cloud devices from a LAN that connects directly to the Internet (i.e. through a typical Internet Gateway appliance) onto an isolated LAN that cannot be reached from the Internet.

TWO+ MONTHS with NOTHING DEFINITIVE to say.  Are they even looking at it?  Ridiculous…