CVE-2021-35941

Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerability than CVE-2018-18472.

Recent assessments:

gwillcox-r7 at December 01, 2021 6:14am UTC reported:

From what I can tell this is likely a relatively easy exploit given that one resets the entire device via an unauthenticated request. This essentially allows the attacker to reset the device and erase all data on the storage device without any authentication at all. This could be used to ransom off targets and threaten to destroy their data if they don’t comply, then use the bug to exploit the storage devices and wipe all their data if they didn’t pay up.

Of less value to attackers since they would likely just end up erasing a client’s data however given how protective of data most companies are, I can imagine this most likely being used in ransom schemes as mentioned above. Less likely to be used to actually steal data unless by resetting the device you can somehow get other devices to resync the data to the drive and have the attacker now have full access to the box.

Otherwise its good to note this has been exploited in the wild and there is no plan to patch this bug since the firmware went out of date in 2015 and the manufacture has stopped updating the firmware for this device with no plans to supply any changes even for security related issues. Your best bet is to migrate your data and get a more modern device. More info on the refactoring of the code that lead to this bug can be found at <https://www.westerndigital.com/support/product-security/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo&gt;

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 4