![Hackers took advantage of a 0 days, not 2018 bug, to mass wipe My Book Live devices [Updated]](https://cdn.arstechnica.net/wp-content/uploads/2021/06/busted-hard-drive-800x518.jpeg)
Getty Images
Update 6/29/2021, 9:00 PM: Western Digital has released an update stating that the company will offer data recovery services starting early next month. My Book Live customers are also eligible for a trade-in program to upgrade to My Cloud devices. A spokeswoman said the data recovery service will be free.
The company also released new technical details about the zeroday, which is now tracked as CVE-2021-35941. Company officials wrote:
We’ve heard concerns about the nature of this vulnerability and are sharing technical details to help answer those questions. We identified that the unauthenticated factory reset vulnerability was introduced in the My Book Live in April 2011 as part of a refactor of the authentication logic in the device firmware. The refactor centralized the authentication logic in a single file, which is present on the device as:
includes/component_config.phpand contains the authentication type required for each endpoint. In this refactor, the authentication logic is insystem_factory_restore.phpwas correctly disabled, but the correct authentication type ofADMIN_AUTH_LAN_ALLhas not been added tocomponent_config.php, resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the correct authentication type to thecomponent_config.phpFile.
The message added:
We reviewed log files received from affected customers to understand and characterize the attack. From the log files we reviewed, it appears that the attackers connected directly to the affected My Book Live devices from different IP addresses in different countries. Our investigation shows that in some cases, the same attacker has exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device.
What follows is the article as it originally appeared:
The mass erasure of Western Digital My Book Live storage devices last week exploited not just one vulnerability, but also a second critical security flaw that allowed hackers to remotely reset factory settings without a password, a study finds.
The vulnerability is notable because it made it trivial to erase likely petabytes of user data. More notably, according to the vulnerable code itself, a Western Digital developer was actively removing code that required a valid user password before factory resets could be performed.
Done and undone
The undocumented vulnerability was contained in a file appropriately named system_factory_restore. It contains a PHP script that performs resets, allowing users to restore all default configurations and wipe all data on the devices.
Normally, and with good reason, factory resets require the person making the request to provide a user password. This authentication ensures that devices exposed to the internet can only be reset by the legitimate owner and not by a malicious hacker.
As the following script shows, a Western Digital developer created five lines of code to password protect the reset command. For unknown reasons, the authentication check has been canceled, or in developer parlance, as indicated by the double / character at the beginning of each line.
function post($urlPath, $queryParams = null, $ouputFormat="xml") {
// if(!authenticateAsOwner($queryParams))
// {
// header("HTTP/1.0 401 Unauthorized");
// return;
// }“The vendor commenting on authentication in the system recovery endpoint makes things look bad for them,” HD Moore, a security expert and the CEO of network discovery platform Rumble, told Ars. “It’s like they deliberately turned on the bypass.”
To exploit the vulnerability, the attacker would have had to know the format of the XML request that triggers the reset. That’s “not as easy as hitting any URL with a GET request, but [it’s] not that far away,” Moore said.
Dude, where’s my data?
The discovery of the second exploit comes five days after people around the world reported that their My Book Live devices had been compromised and then factory reset, erasing all stored data. My Book Live is a book-sized storage device that uses an Ethernet connection to connect to home and office networks, allowing connected computers to access the data on it. Authorized users can also access their files over the Internet and make configuration changes. Western Digital stopped supporting My Book Live in 2015.
Western Digital staff posted an advisory after the mass erasure that it was the result of attackers exploiting CVE-2018-18472. The remote command vulnerability was discovered in late 2018 by security researchers Paulos Yibelo and Daniel Eshetu. Since it came to light three years after Western Digital stopped supporting My Book Live, the company never fixed it.
An analysis conducted by Ars and Derek Abdine, CTO at security firm Censys, found that the devices affected by last week’s massive hack were also subject to attacks that exploited the unauthorized reset vulnerability. The additional exploit is documented in log files extracted from two hacked devices.
One of the logs was posted to Western Digital’s support forum, where the massive compromise was first exposed. It shows that someone from the IP address 94.102.49.104 successfully restores a device:
rest_api.log.1:23 Jun 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 PARAMETER System_factory_restore POST : clear = none
rest_api.log.1:23 Jun 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 OUTPUT System_factory_restore POST SUCCESS
A second log file I obtained from a hacked My Book Live device showed a different IP address – 23.154.177.131 – exploiting the same vulnerability. Here are the telltale lines:
Jun 16 07:28:41 MyBookLive REST_API[28538]: 23.154.177.131 PARAMETER System_factory_restore POST: erase = format
Jun 16 07:28:42 MyBookLive REST_API[28538]: 23.154.177.131 OUTPUT System_factory_restore POST SUCCESS
After presenting these findings to Western Digital representatives, I received the following confirmation: “We can confirm that in at least some of the cases, the attackers exploited the command injection vulnerability (CVE-2018-18472) followed due to the vulnerability to factory reset. It is not clear why the attackers exploited both vulnerabilities. We will request a CVE for the factory reset vulnerability and will update our bulletin to include this information.”
This vulnerability is password protected
The discovery raises an annoying question: If the hackers had already gained full root access using CVE-2018-18472, what need did they have for this second security flaw? There is no clear answer, but based on the available evidence, Abdine has come up with a plausible theory: that a hacker first exploited CVE-2018-18472 and a rival hacker later exploited the other vulnerability in an attempt to take control of those already were compromised devices.
The attacker who exploited CVE-2018-18472 used the code execution capability it provided to modify a file in the My Book Live stack called language_configuration.php, where the vulnerability resides. According to a recovered file, the change added the following lines:
function put($urlPath, $queryParams=null, $ouputFormat="xml"){
parse_str(file_get_contents("php://input"), $changes);
$langConfigObj = new LanguageConfiguration();
if(!isset($changes["submit"]) || sha1($changes["submit"]) != "56f650e16801d38f47bb0eeac39e21a8142d7da1")
{
die();
}
The change did not allow anyone to exploit the vulnerability without the password corresponding to the cryptographic SHA1 hash 56f650e16801d38f47bb0eeac39e21a8142d7da1. It turns out that the password for this hash is p$EFx3tQWoUbFc%B%R$k@. The plaintext appears here in the recovered log file.
A separate modified language_configuration.php file recovered from a hacked device used a different password matching the hash 05951edd7f05318019c4cfafab8e567afe7936d4. The hackers used a third hash, b18c3795fd377b51b7925b2b68ff818cc9115a47, to password protect a separate file called accessDenied.php. It was probably done as an insurance policy in case Western Digital released an update that patched language_configuration.
So far, attempts to crack these two other hashes have been unsuccessful.
According to Western Digital advice linked above, some of the My Book Live devices hacked with CVE-2021-18472 are infected with malware called .nttpd,1-ppc-be-t1-z, which was written to run on the PowerPC hardware used by My Book Live devices. A user on the support forum reported that a hacked My Book Live received this malware, making devices part of a botnet called Linux.Ngioweb.
A theory emerges
So why would someone who has successfully messed with so many My Book Live devices into a botnet turn around and wipe and reset them? And why would someone use an undocumented authentication bypass when they already have root access?
The most likely answer is that the mass wipe and reset was performed by another attacker, most likely a rival who either tried to take control of the rival’s botnet or simply sabotaged it.
“As to the motive for posting here [system_factory_restore] endpoint on a large scale is unknown, but it could be an attempt by a rival botnet operator to take over or disable these devices, or someone else who wanted to disrupt the botnet, which has probably been around for a while, in some other way . these issues have existed since 2015,” Abdine wrote in a recent blog post.
The discovery of this second vulnerability means that My Book Live devices are even more insecure than most people thought. It adds authority to Western Digital’s recommendation to all users to disconnect their devices from the Internet. Anyone using any of these devices should heed the call immediately.
For many hacked users who have lost years or decades of data, the thought of buying another Western Digital storage device is probably out of the question. However, Abdine says that My Cloud Live devices, which have replaced Western Digital’s My Book Live products, have a different code base that does not contain any of the vulnerabilities used in the recent mass erasure.
“I also looked at the My Cloud firmware,” he told me. “It has been rewritten and bears some, but mostly little, similarity to My Book Live code. So it doesn’t share the same issues.”