Western Digital Security Advisory Bulletin: WDC Tracking WDC-21008
Concerning WD My Book Live and My Book Live Duo systems
This is a Press Release edited by StorageNewsletter.com on July 2, 2021 at 2:31 pmWestern Digital Corp. has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability.
In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.
The company is reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.
Additionally, the log files show that on some devices, the attackers installed a trojan with a file named ‘.nttpd,1-ppc-be-t1-z’, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.
The firm’s investigation of this incident has not uncovered any evidence that the company’s cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the Internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.
The company understand that our customers’ data is important. The firm do not yet understand why the attacker triggered the factory reset; however, it has obtained a sample of an affected device and are investigating further. Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and the firm are currently investigating the effectiveness of these tools.
The My Book Live series was introduced to the market in 2010 and these devices received their final firmware update in 2015.
Advisory summary
At this time, the company recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device.
The company have heard customer concerns that the current My Cloud OS 5 and My Cloud Home series of devices may be affected. These devices use a newer security architecture and are not affected by the vulnerabilities used in this attack. The firm recommend that eligible My Cloud OS 3 users upgrade to OS 5 to continue to receive security updates for your device.
CVE Number: CVE-2018-18472