After Western Digital My Book Live homeowners all over the world reported that their units had been wiped remotely in a single day, the corporate issued an announcement blaming a selected vulnerability (CVE-2021-35941) for the occasion. An exterior investigation performed by Ars Technica and Derek Abdine (CTO at safety agency Censys) has revealed, nevertheless, that the unhealthy actors exploited one other undocumented vulnerability in a file aptly named system_factory_restore. 

Usually, customers must kind of their passwords to have the ability to carry out manufacturing facility resets on their units. Indeed, the script within the file accommodates traces to password shield the reset command. However, somebody in Western Digital “commented out” or, in non-technical parlance, canceled out the command by including the double / character in the beginning of every line. HD Moore, a safety knowledgeable, defined to Ars that this does not make issues look good for the corporate. “It’s like they intentionally enabled the bypass,” Moore stated, because the attackers must know the format of the script that triggers the reset to use the vulnerability.

Devices that had been hacked utilizing the CVE-2021-35941 vulnerability had been contaminated with malware, and in a minimum of one case, it was malware that makes a tool a part of a botnet. Since turning My Book Live storage units into botnets after which wiping them clear is not sensible, Abdine’s principle is that one hacker exploited the CVE-2021-35941 vulnerability. After that, a second (probably rival) hacker exploited the beforehand unknown reset vulnerability to achieve management of the units, which had been then made a part of a botnet, or to undo the primary one’s work. 

Either approach, this occasion simply goes to indicate that the My Book Live storage units aren’t as safe as anyone would love at this level. Those who nonetheless personal it ought to heed Western Digital’s recommendation and disconnect it from the web as quickly as attainable.