WD knew My Book Live remote execution exposure years ago!

ATTENTION: For anyone who lost data on your My Book Live

Just click the links WD provided:

then

then scroll down and click CVE number
NVD - CVE-2018-18472 Severity 9.8/10 Critical about as bad as security could possibly be.

Western Digital WD My Book Live (all versions) has a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device.

The My Book Live remote execution was known to WD certainly in 2018.

Anyone who lost data should be asking WD to pay the big bucks to have your data restored. And it is so easy to exploit. Anyone in world just needs the IP address and they can run anything they want.

3 Likes

I hope we get more eyeballs on this issue. I’m wondering if that attack was a one-time affair, or if users are still losing data to subsequent attacks. Either way, I’m left wondering if WD’s current NAS products have similar vulnerabilities, and they won’t correct those either. I won’t be taking a chance.

3 Likes

If this is not addressed, I will be throwing away my WD equipment and advocating against WD for the rest of my life. And, I can affect a large audience with billboards and other media.

3 Likes

Waay too late to address this, damage is done!

Thank you for your research.

so, who is going to know when the data can be restored or not?

how are they going to notify us?

ARE they going to notify us?

i am a small business owner, and ALL of my business was on my MyBook Live… :unamused:

This user has posted the most detailed information about data recovery: Help! All data in mybook live gone and owner password unknown - #227 by andyman1222

Other users have reported success with Ontrack EasyRecovery and PhotoRec.

Still others have had their hardware evaluated by a professional data recovery firm.

i am a small business owner, and ALL of my business was on my MyBook Live… :unamused:

Sorry to hear that. I hope you’re able to recover some of it. If it’s any consolation, most of us learn about data loss the hard way. (Many years ago, I did too!)

is the WD Mycloud 4TB on firmware 5.14.105 safe?

Read the WizCase link and come to your own conclusion as this was from 2018.

And would you really want to trust WD after they knew of this in 2018 and did nothing! WD states they value their customer’s data. Their lack of security actions clearly show otherwise.

2 Likes

It is not a one-time affair; the attack can come everytime.
But you can disable UPnP in the router and your NAS and disable remote access.

Additionally, you can fix the security vulnerability yourself. There are only 2 lines of code (!!) that needs to be fixed. And WD didn’t care about this tiny fix, just because the product is EOL.
Here is my fix: Help! All data in mybook live gone and owner password unknown - #415 by dracenmarx

1 Like

WTF?

I guess the public hasn’t really heard about this yet too much, or doesn’t care?

Well it is bad Public Relations. WD could have done more to get MyBook customers to upgrade and take seriously the devices are EOL with no updates nor support. From a corporate point of view WD is huge company and the consumer market is a few drops in the corporate bucket. WD is not losing large amounts of money for this. WD has pricy lawyers if you want claim losses on a device EOL over 5 years ago. To be honest big corporates really don’t care about consumers. We are expendable.

1 Like

Wow! I am speechless.
On the other hand, I am not surprised. The situation in Germany is that only the computer-news pages write about this hack. The “non-computer” media, news papers and TV don’t mention it. I am used to that, since Germany is digital stone age.

It hit Forbes, but that’s it AFAIK.

Should we get togheter and poke them on social media?

1 Like

Sure horror stories where a parent lost all their family’s lifetime memories . A contractor who lost all his/her work for six months and now will not be able collect a single dollar.

Get a bunch stories like this on social media and there will likely be a class action lawsuit.

2 Likes

Same reason car manufactures are liable for safety recalls even decades after releasing a car.

WD made ZERO effort to inform customers they NEED to upgrade to a new device and their device’s current network interface disabled. Seagate and other manufactures have disabled networking on old storage devices after support EOL. WD neglected basic security and failed to inform their customers of the risk present in our dangerous IT world. Seems to me class action lawyers would be drooling over the financial opportunity.

With all the recent ransomware in the news and the focus at the federal level I honestly expect a class action lawsuit to win despite the device being EOL for 8 years and the precedence the manufacturer of EOL equipment is not liable.

There is ample evidence WD ignored informing users which was done as standard practice by their competitors for similar products.

2 Likes

Dont step on the backup, go to root cause. And the root cause is the OS security config.

If an end user come across with a dead mechanic hard drive inside the MBL, thats not WD fault.
Now if WD let a hole open (behind end users backs) thats on them.
You can tell that to their lawyers…

As I also recall, Windows XP was EOL and unsupported and when Microsoft was aware of a vulnerability a few years back, they released a security patch. Because the hardware might be EOL, a firmware patch by WD could have been offered when this was discovered 2 years ago.

1 Like

My drive is at Ontrack with a 700 dollar estimate and none of the filenames or folder structures on what they are able to recover are what they were, so there is a huge amount of work to go through and rename/reorganize. Yeah, shame on me for trusting the WD to be the sole source of some of the files that were lost, but shame on WD for not at least sending an email or doing a firmware patch on an issue they knew about 2 years ago. I understand it’s an EOL product, but even Microsoft released a patch to plug a hole in XP, which was also unsupported EOL operating system.

1 Like