Getty Photos
Final week’s mass-wiping of Western Digital My E book Reside storage units concerned the exploitation of not only one vulnerability, however a second vital safety bug that allowed hackers to remotely carry out a manufacturing facility reset and not using a password, an investigation exhibits.
The vulnerability is exceptional not solely as a result of it made it trivial to wipe what’s seemingly petabytes of person information. Extra notable nonetheless was the truth that, in line with the weak code itself, a Western Digital developer actively eliminated code that required a legitimate person password earlier than permitting manufacturing facility resets to proceed.
Finished and undone
The undocumented vulnerability resided in a file aptly named system_factory_restore. It accommodates a PHP script that performs resets, which permits customers to revive all default configurations and to wipe all information saved on the units.
Usually, and for good purpose, manufacturing facility resets require the individual making the request to offer a person password. This authentication ensures that units uncovered to the Web can solely be reset by the reliable proprietor and never by a malicious hacker.
Because the following script exhibits, nevertheless, a Western Digital developer created 5 strains of code to password-protect the reset command. For unknown causes, the authentication test was cancelled, or in developer parlance, was commented out as indicated by the double / character originally of every line.
perform get($urlPath, $queryParams=null, $ouputFormat="xml"){
// if(!authenticateAsOwner($queryParams))
// {
// header("HTTP/1.0 401 Unauthorized");
// return;
// }
“The seller commenting out the authentication within the system restore endpoint actually does not make issues look good for them,” HD Moore, a safety professional and the CEO of community discovery platform Rumble, informed me. “It’s like they deliberately enabled the bypass.”
To use the vulnerability, the attacker would have needed to know the format of the XML request that triggers the reset. That’s “not fairly as simple as hitting a random URL with a GET request, however [it’s] not that far off both,” Moore stated.
Dude, the place’s my information?
The invention of the second exploit comes 5 days after folks everywhere in the world reported that their My Book Live devices had been compromised after which manufacturing facility reset so that every one saved information was wiped. My E book Reside is a book-sized storage gadget that makes use of an ethernet jack to connect with house and workplace networks in order that related computer systems have entry to the information on it. Approved customers also can entry their recordsdata and make configuration adjustments over the Web. Western Digital stopped supporting the My E book Reside in 2015.
Western Digital personnel posted an advisory following the mass wiping that stated it was the results of attackers exploiting CVE-2018-18472. The distant command execution vulnerability was discovered in late 2018 by safety researchers Paulos Yibelo and Daniel Eshetu. As a result of it got here to mild three years after Western Digital stopped supporting the My E book Reside, the corporate by no means fastened it.
An evaluation carried out by Ars and Derek Abdine, CTO at safety agency Censys, discovered that the units hit by final week’s mass hack had additionally been subjected to assaults that exploited the unauthorized reset vulnerability. The extra exploit is documented in log recordsdata extracted from two hacked units.
One of many logs was posted within the Western Digital support forum the place the mass compromise first got here to mild. It exhibits somebody from the IP tackle 94.102.49.104 efficiently restoring a tool:
rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 PARAMETER System_factory_restore POST : erase = none
rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 OUTPUT System_factory_restore POST SUCCESS
A second log file I obtained from a hacked My E book Reside gadget confirmed a unique IP tackle—23.154.177.131—exploiting the identical vulnerability. Listed below are the telltale strains:
Jun 16 07:28:41 MyBookLive REST_API[28538]: 23.154.177.131 PARAMETER System_factory_restore POST : erase = format
Jun 16 07:28:42 MyBookLive REST_API[28538]: 23.154.177.131 OUTPUT System_factory_restore POST SUCCESS
After presenting these findings to Western Digital representatives, I acquired the next affirmation: “We are able to affirm that in a minimum of a number of the instances, the attackers exploited the command injection vulnerability (CVE-2018-18472), adopted by the manufacturing facility reset vulnerability. It’s not clear why the attackers exploited each vulnerabilities. We’ll request a CVE for the manufacturing facility reset vulnerability and can replace our bulletin to incorporate this info.”
This vulnerability has been password protected
The invention raises a vexing query: if the hackers had already obtained full root entry by exploiting CVE-2018-18472, what want did they’ve for this second safety flaw? There’s no clear reply, however based mostly on the proof out there, Abdine has provide you with a believable principle—that one hacker first exploited CVE-2018-18472 and a rival hacker later exploited the opposite vulnerability in an try to wrest management of these already compromised units.
The attacker who exploited CVE-2018-18472 used the code execution functionality it supplied to change a file within the My E book Reside stack named language_configuration.php, which is the place the vulnerability is positioned. In keeping with a recovered file, the modification added the next strains:
}
perform put($urlPath, $queryParams=null, $ouputFormat="xml"){
if(!isset($adjustments["submit"]) || sha1($adjustments["submit"]) != "05951edd7f05318019c4cfafab8e567afe7936d4")
{
die();
}
The change prevented anybody from exploiting the vulnerability with out the password that corresponds to the cryptographic SHA1 hash 05951edd7f05318019c4cfafab8e567afe7936d4. It seems that the password for this hash is p$EFx3tQWoUbFcpercentBpercentR$ok@. The plaintext seems within the recovered log file here.
A separate modified language_configuration.php file recovered from a hacked gadget used a unique password that corresponds to the hash 56f650e16801d38f47bb0eeac39e21a8142d7da1. The hackers used a 3rd hash—b18c3795fd377b51b7925b2b68ff818cc9115a47—to password-protect a separate file named accessDenied.php. It was seemingly executed as an insurance coverage coverage within the occasion Western Digital launched an replace that patched language_configuration.
Thus far, makes an attempt to crack these two different hashes haven’t succeeded.
In keeping with Western Digital’s advisory linked above, a number of the My E book Reside units hacked utilizing CVE-2021-18472 had been contaminated with malware known as .nttpd,1-ppc-be-t1-z, which was written to run on the PowerPC {hardware} utilized by My E book Reside units. One person within the help discussion board reported a hacked My E book Reside receiving this malware, which makes devices part of a botnet known as Linux.Ngioweb.
A principle emerges
So why would somebody who efficiently wrangled so many My E book Reside units right into a botnet flip round and wipe and reset them? And why would somebody use an undocumented authentication bypass once they have already got root entry?
The almost certainly reply is that the mass wipe and reset was carried out by a unique attacker, very presumably a rival who both tried, unsuccessfully, to take management of the rival’s botnet or just needed to sabotage it.
“As for motive for POSTing to this [system_factory_restore] endpoint on a mass scale, it’s unknown, but it surely could possibly be an try at a rival botnet operator to take over these units or render them ineffective, or somebody who needed to in any other case disrupt the botnet which has seemingly been round for a while, since these points have existed since 2015,” Abdine wrote in a recent blog post.
The invention of this second vulnerability implies that My E book Reside units are much more insecure than most individuals thought. It provides authority to Western Digital’s name for all customers to disconnect their units from the Web. Anybody utilizing certainly one of these units ought to heed the decision instantly.
For a lot of hacked customers who misplaced years’ or many years’ price of information, the considered shopping for one other Western Digital storage gadget might be out of the query. Abdine, nevertheless, says that My Cloud Reside units, which changed Western Digital’s My E book Reside merchandise, have a unique code base that doesn’t comprise both of the vulnerabilities exploited within the current mass wiping.
“I took a take a look at the My Cloud firmware, too,” he informed me. “It is rewritten and bears some, however largely little, resemblance to My E book Reside code. So it does not share the identical points.”
