CVE-2018-18472

Name of the Vulnerable Software and Affected Versions Western Digital WD My Book Live and WD My Book Live Duo (all versions)

Description The issue is related to a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language configuration language parameter. This can be triggered by anyone who knows the IP address of the affected device. The vulnerability was exploited in the wild in June 2021 for factory reset commands. It is also mentioned that the vulnerability allows an attacker to execute arbitrary commands using shell metacharacters. Additionally, there were reports of mass data deletion and resets of Western Digital My Book devices, which were initially thought to be related to a SkyNet-like attack but were later found to be due to the exploitation of a 0-day vulnerability in the firmware, allowing for remote resets. Other attackers were also exploiting an older vulnerability to infect devices with a Linux.Ngioweb.27 botnet. Experts believe the mass reset was part of a botnet war, where attackers tried to clear existing bots and infect devices with their own.

Recommendations For Western Digital WD My Book Live and WD My Book Live Duo (all versions), as a temporary workaround, consider restricting access to the /api/1.0/rest/language configuration endpoint to minimize the risk of exploitation. Avoid using the language parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.