Article 5KND3 Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices [Updated]

Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices [Updated]

by
Dan Goodin
from Ars Technica - All content on (#5KND3)
busted-hard-drive-800x518.jpeg

Enlarge (credit: Getty Images)

Update 6/29/2021, 9:00 PM: Western Digital has published an update that says the company will provide data recovery services starting early next month. My Book Live customers will also be eligible for a trade-in program so they can upgrade to My Cloud devices. A spokeswoman said the data recovery service will be free of charge.

The company also provided new technical details about the zeroday, which is now being tracked as CVE-2021-35941. Company officials wrote:

We have heard concerns about the nature of this vulnerability and are sharing technical details to address these questions. We have determined that the unauthenticated factory reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware. The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php, resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file.

The post added:

Read 26 remaining paragraphs | Comments

index?i=jZzs8YK3fx0:AcJttjm48Aw:V_sGLiPB index?i=jZzs8YK3fx0:AcJttjm48Aw:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments