Quote:Western Digital will start providing free data-recovery services in July for people whose data was wiped off their network-attached storage (NAS) devices last week, the company said in an update on Tuesday.
The company is also planning to offer a trade-in program to get customers onto the cloud – specifically, onto a supported My Cloud device – and off of old My Book Live and My Book Live Duo devices, an indeterminate number of which were remotely eviscerated in an attack that exploited what turns out to have been a zero-day vulnerability.
In fact, there were two vulnerabilities that were exploited: An old remote-code execution (RCE) bug from 2018 that Western Digital first blamed, and then a previously unknown flaw that enabled unauthenticated remote factory-reset device wipes. Theories about why the attack involved two devastating exploits include the suggestion that rival threat actors were duking it out for control of the compromised devices.
Western Digital also released new details about that zero day, which exploited the newly identified vulnerability CVE-2021-35941. The bug is in Western Digital’s WD My Book Live (2.x and later) and WD My Book Live Duo (all versions), which have an administrator API that can perform a system factory restore without authentication. Its severity hasn’t yet been rated.
Besides the unauthenticated factory-reset operation, Western Digital said that the firmware for My Book Live is also vulnerable to a remotely exploitable command-injection vulnerability when the device has remote access enabled. “This vulnerability may be exploited to run arbitrary commands with root privileges,” according to Western Digital’s updated advisory.
Read more: Zero-Day Used to Wipe My Book Live Devices | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
