The following is the key new information here. This is a shocking response to a very, very serious issue. I will NEVER buy a Western Digital device of any kind.
-----
Western Digital’s brief advisory includes a link to an entry in the National Vulnerability Database for CVE-2018-18472. The NVD writeup says Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug.
“It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,” NVD wrote.
Examine the CVE attached to this flaw and you’ll notice it was issued in 2018. The NVD’s advisory credits VPN reviewer Wizcase.com with reporting the bug to Western Digital three years ago, back in June 2018.
In some ways, it’s remarkable that it took this long for vulnerable MyBook devices to be attacked: The 2018 Wizcase writeup on the flaw includes proof-of-concept code that lets anyone run commands on the devices as the all-powerful “root” user.
Western Digital’s response at the time was that the affected devices were no longer supported and that customers should avoid connecting them to the Internet. That response also suggested this bug has been present in its devices for at least a decade.
“The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012,” reads a reply from Western Digital that Wizcase posted to its blog. “These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle. We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.”
I haven't heard how these people are actually being exploited. When I read the CVE, it makes me think javascript in the browser is reaching out over their LAN and hitting their NAS boxes, but I can't be sure that's whats happening. I can't imagine all these users set up port forwarding or UPnP on their MyBook Live. I would imagine a person buys that type of device because they don't want to or know how to do that kind of management. I'm curious to hear the details about the nuts and bolts of the exploit.
The whole point of my book live was that the user could access their files from remote locations. If I remember correctly the app was called WD2go or something similar. No doubt by setting up this service on their box, it opened up the path to the net. WD after some years then shut down that service, leaving the hole open.
And it's all probably going to happen again with Seagate.
"As of May 15, 2021 the Seagate Access feature of Seagate NAS products will be discontinued. Specifically, the Seagate Access service, Seagate Access through Seagate Sdrive, Seagate Access through Seagate Media App, and Seagate MyNAS will no longer be available after May 15, 2021 at midnight Central European Time. Additionally, customer support for the Seagate Access service will also be discontinued.
The removal of this service means that access to all Seagate NAS devices via the Seagate Access web portal, Seagate Sdrive, Seagate Media App, and Seagate MyNAS will no longer function. However, you will not lose remote access to the files on your Seagate NAS since it can be configured and accessed using the FTP/SFTP service. Similarly, your Seagate NAS will not change for standard network access within the home or office network using common network protocols on macOS and Windows.
Please know that we remain grateful for your purchase of a Seagate NAS and hope you continue to enjoy it despite this change to remote access via Seagate Access, Sdrive, Seagate Media App and MyNAS.
A two to four year support life for hardware seems ridiculously low. This reflects very poorly on WD, even if the exploit wasn’t discovered until the hardware was six to eight years old.
This. If a security vulnerability is significant enough, it should be fixed even in EOL products. I believe Microsoft did this for bluekeep as far back as server 2003.
An authenticated, stored XSS on the admin portal of a CMS? Meh. A root remote code exploit on a device which is commonly found plugged into the internet? Definitely.
The chance that "the community" will create patches and users will somehow find and install those unofficial patches is very low. We need to set our sights higher than this.
>I will NEVER buy a Western Digital device of any kind.
You're going to rule out all WD products (even the SATA/USB/NVMe, non-networked variety) because their NAS line had 0days? That's like swearing to never buy any philips lightbulbs if their IOT lightbulbs got hacked. I guess if you want to do this to punish WD, that's your prerogative, but it's not really anything rooted in rationality.
"It's the customer's fault, they shouldn't be using old devices which we stopped supporting almost immediately after we stopped selling them" -- WD, probably.
Looks like they removed that sentence. Personally, I like to think that by "previously unknown" they meant "we didn't know about it before we learned about it".
The article didn’t really add anything new or any new perspectives. I imagine it was a “check the box” post to make sure the site included something major like this.
I do wonder about how things like this relate to other real forms of engineering like civil in terms of accountability. As in, if there's a certain amount of responsibility inherent in a product, and that responsibility is assumed by the manufacturer (particularly in cases where everything is proprietary), gradually increasing risk accumulates for customers after a very short supported lifespan.
Bridges have very long useful lifespans wih massive up front cost, after which they're just replaced, and that's fine. Elevators have seemingly rigorous standards they need to hold up, but also there are companies and people specialized to repair them according to standards.
Programmers want the social respect and salaries of real engineers, without any of the professional responsibility and accountability. We [loosely speaking] want to have our cake and eat it too. I think if society continues to let us get away with it, nothing will change. Self-regulation clearly is not going to happen at this rate, we need legislatures to wake up and put our collective feet to the fire.
Though at this point I think you could argue software 'engineers' make way more than on real engineers. At least the upside is much higher. I can not think of any other job where you can have no formal education and have chance of making over 500k a year. Which makes your point even stronger.. we pay the people who design things that could kill you less and make them way more accountable. I hate being called software engineer I feel a developer is a better term.
I write software for medical devices, and where I work we take the stance that we are software engineers, not developers or programmers. The idea being that we design things that without the right failure analysis and mitigations could indeed kill people. The fact that we have an excellent track record is due to our engineering of a safe system.
Well some "real engineers" really do code, but mostly not CRUD applications. Most embedded systems, industrial control systems and avionic software are designed and crafted by electronic/electrical engineers. High performance computing number crunching is also dominated by physicists and engineers that uses that for physics simulation, particle physics studies, aerospace design, CFD - Computational Fluid Simulation, FEM - Finite Element Methods and so on.
This case of MyBook seems to be another case of vulnerability caused by C. Actually most CVE vulnerabilities happens due programming mistakes that the C language makes easier to make such as to buffer overflow, out-of-bounds array access, undefined behaviour, use-after-free and etc.
We're still in the experimentation stage for software development. New and interesting things are created because those regulations are not in place. Civil engineers and the lake don't really get to experiment in the same way; not anymore. Things falling down and causing havok were a lot more common back when they could.
There are no programmers that work on this WD product. That’s the problem. The company cut off support. Which is entirely a management decision. You can see when management values support you get secure software. How often do we find out about google drive breaches?
If a building collapses because its owner did not care about its repairs and structural integrity, the original architect cannot be blamed. Engineering products generally need maintenance, and that includes hardware and software.
BTW I am not that sure about respect for engineers at least where I live. Medical doctors are looked up to, yes, but engineers are considered "normal people", as are software developers.
I don’t think you’ll find many programmers who “want” things like this to happen. We just want to create useful things for end users, but we are driven by business requirements - not our own desires, or codified professional standards.
I, for one, would love it if there was some way to set agreed-upon software standards with a governing body set up to audit them.
But, it’s voluntary now. You don’t see programmers making the decision to implement certain features… it’s driven by business and management.
Medical/military/etc software is already highly regulated. Consumer grade devices are not. Collapsing bridges or free falling elevators have much different outcomes then a hard drive being wiped. A simple offline backup would save anyone in this instance.
Since it wasn't a deep wipe (I presume since it was factory reset), users could potentially recover data using tools like testdisk https://www.cgsecurity.org/wiki/TestDisk
That's assuming it does not issue ATA Secure Erase to the drive - whilst WD drives of the era were using absolutely atrocious controllers for the most part, it would be enough to thwart testdisk.
43 comments
[ 2.5 ms ] story [ 90.8 ms ] thread-----
Western Digital’s brief advisory includes a link to an entry in the National Vulnerability Database for CVE-2018-18472. The NVD writeup says Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug.
“It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,” NVD wrote.
Examine the CVE attached to this flaw and you’ll notice it was issued in 2018. The NVD’s advisory credits VPN reviewer Wizcase.com with reporting the bug to Western Digital three years ago, back in June 2018.
In some ways, it’s remarkable that it took this long for vulnerable MyBook devices to be attacked: The 2018 Wizcase writeup on the flaw includes proof-of-concept code that lets anyone run commands on the devices as the all-powerful “root” user.
Western Digital’s response at the time was that the affected devices were no longer supported and that customers should avoid connecting them to the Internet. That response also suggested this bug has been present in its devices for at least a decade.
“The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012,” reads a reply from Western Digital that Wizcase posted to its blog. “These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle. We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.”
Just don't go and expose all your stuff to the internet.
"As of May 15, 2021 the Seagate Access feature of Seagate NAS products will be discontinued. Specifically, the Seagate Access service, Seagate Access through Seagate Sdrive, Seagate Access through Seagate Media App, and Seagate MyNAS will no longer be available after May 15, 2021 at midnight Central European Time. Additionally, customer support for the Seagate Access service will also be discontinued.
The removal of this service means that access to all Seagate NAS devices via the Seagate Access web portal, Seagate Sdrive, Seagate Media App, and Seagate MyNAS will no longer function. However, you will not lose remote access to the files on your Seagate NAS since it can be configured and accessed using the FTP/SFTP service. Similarly, your Seagate NAS will not change for standard network access within the home or office network using common network protocols on macOS and Windows.
Please know that we remain grateful for your purchase of a Seagate NAS and hope you continue to enjoy it despite this change to remote access via Seagate Access, Sdrive, Seagate Media App and MyNAS.
For questions, please contact https://www.seagate.com/contacts/.
Cordially,
The Seagate NAS Team"
Just don’t go storing your money in a bank.
An authenticated, stored XSS on the admin portal of a CMS? Meh. A root remote code exploit on a device which is commonly found plugged into the internet? Definitely.
If I was an user, I could patch it up myself (and I'm sure most people here would be able to, we're on HN).
You're going to rule out all WD products (even the SATA/USB/NVMe, non-networked variety) because their NAS line had 0days? That's like swearing to never buy any philips lightbulbs if their IOT lightbulbs got hacked. I guess if you want to do this to punish WD, that's your prerogative, but it's not really anything rooted in rationality.
And, I dunno, if that's how they conduct business I'm not sure I want to try their other stuff and find out what corners they cut there.
This vulnerability was reported in 2018 and remains unfixed, if I'm understanding correctly.
No, I'm ruling it out because of how they responded to it.
>[...], warning that malicious hackers are remotely wiping the drives using a previously unknown critical flaw [...]
This flaw was reported in 2018. Later in the article it even states as much
>Examine the CVE attached to this flaw and you’ll notice it was issued in 2018. [...]
Am I misinterpreting something here? I feel like I am; I'm pretty tired. Or, perhaps, a slight goof in the opening paragraph.
https://news.ycombinator.com/item?id=27625925
https://news.ycombinator.com/item?id=27624735
Bridges have very long useful lifespans wih massive up front cost, after which they're just replaced, and that's fine. Elevators have seemingly rigorous standards they need to hold up, but also there are companies and people specialized to repair them according to standards.
This case of MyBook seems to be another case of vulnerability caused by C. Actually most CVE vulnerabilities happens due programming mistakes that the C language makes easier to make such as to buffer overflow, out-of-bounds array access, undefined behaviour, use-after-free and etc.
BTW I am not that sure about respect for engineers at least where I live. Medical doctors are looked up to, yes, but engineers are considered "normal people", as are software developers.
I, for one, would love it if there was some way to set agreed-upon software standards with a governing body set up to audit them.
But, it’s voluntary now. You don’t see programmers making the decision to implement certain features… it’s driven by business and management.