You’re not going to believe this. Western Digital now confirms that it disabled authentication code that should have prevented last week’s My Book Live factory reset exploit. What’s worse, this code was disabled in 2011 with the intent of replacing it with something better—Western Digital simply forgot to paste in the new code.
Let’s backtrack a bit. Last week, My Book Live users found that their internet-connected storage drives had lost all of their data. A factory reset, triggered remotely, caused this data loss.
Analysis by security experts has since shown that hackers were exploiting two separate My Book Live vulnerabilities at the same time; one exploit (called CVE-2018-18472) left the drives open to full remote control and was used to build a botnet, while another exploit allowed hackers to execute remote factory resets without the need for any login credentials.
These security experts found that Western Digital had intentionally disabled factory reset authentication code, which would have forced hackers to enter login information for each My Book Live device they tried to format. A new support post from Western Digital confirms that this code was disabled in 2011 as part of a refactor—basically a wide-scale upgrade to underlying code. While this refactor was correctly performed in other parts of the My Book Live system, it failed to replace the factory reset authentication code.
We have determined that the unauthenticated factory reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware. The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php, resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file.
Western Digital goes on to clarify a few details of this attack. While security analysts suggest that a hacker exploited the factory reset vulnerability to sabotage the growing My Book Live botnet (which was enabled by the separate CVE-2018-18472 “remote control” exploit), Western Digital says that both attacks were often executed from a single IP address. This suggests that one hacker took advantage of both vulnerabilities, for some reason.
Throughout this whole mess, many people have blamed My Book Live users for leaving themselves open to attack. After all, My Book Live devices haven’t been updated since 2015, so of course they’re unsafe! But in reality, My Book Live drives were vulnerable to the factory reset and CVE-2018-18472 “remote control” exploits long before Western Digital ended software support.
Western Digital says that it will offer free data recovery services and a free My Cloud device to My Book Live owners starting this July. If you’re still using a My Book Live device, please unplug it and never use it again.
Source: Western Digital