Bash vulnerability in My Book Live

Hahaha they won’t be looking at it, every no and again an update might be released, it’ll have bugs that break feature then it will take a year or so for a patch to be released which then breaks something else! This is wd nas drives, good hdd bad software, I never plan on buying wd again!

1 Like

Bill honestly **bleep**… are you guys going???

Its been months now I have yet to see a update. Last time I am ever buying a WD product.

This is ridiculous at best. The whole industry has patched their products and you just issue ironic messages pretending as if nothing is happening.

Honestly you and your team are a disgrace!

I truly hope whichever ■■■■■ you have trying to issue the update decides to finish soon… a 5 year old would have patched it by now…

1 Like

Question to the masses – so, yes, BASH on the MBL and Duo are vulnerable.

But does that mean the NAS is vulnerable?   I haven’t seen anyone actually state that there’s any attack vector on these boxes that work.

CGI scripts are PHP-based, not shell based.

It doesn’t run OpenSSH exposed to the internet.

It doesn’t run QMail.

It doesn’t run HMC.

So, even though BASH is broken, what’s the risk?

Well, it does not really matter if there is a documented attack vector - you could not be very confident having these things deployed until known vulnerbilities are addressed.

Firmware 02.43.09 - 038 (1/27/2015) now addresses Shellshock (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) bash security vulnerability. So that is good - albeit a very long time in coming!  And I might add not soon enough given that I replaced our MyBookLives already on account of the delay!

Anyway, for what it is worth, I can report the new firmware installed without any hitches on a few of my MyBookLive and MyBookLive Duo’s.

1 Like

I am the OP of this thread.

I installed the firmware last week (somehow I never got the prompt earlier). 

My reluctance with the firmware update was that every firmware update will reset all my settings.

So, my open vpn configuration got wiped out and I had no backup.

Now, while this is not a WD bashing thread, (I really like the hard disks), I am somehow disheartened to figure out that almost all the software on the MBL is outdated.

I wanted to use TLS 1.2 only with my VPN provider and it seems the OpenVPN client that is installed is so old that it does not support that option.

I tried upgrading it, but ran into lot of error messages.

In general there are tons of packages which are outdated and there is no simple way to upgrade them.

I understand that this is not supported by WD, but if I would like to use this hard disk with VPN, I cannot even get iptables to work at the moment.

Does anyone have the same challenges or even better, offer some solution?