In an updated article on security flaws in the network hard drives My Book Live and My Book Live Duo, Western Digital confirms that the HDDs were more vulnerable than initially assumed. The security hole, which strangers can use to reset the models remotely, has existed since April 2011.
At that time, the security query for resetting to the delivery state was inadvertently suspended by a firmware update, writes Western Digital on the blog. The vulnerability now has the Received CVE ID CVE-2021-35941. The assessment as part of a CVSS value is still pending.
Western Digital is confident that the data from affected hard drives can be recovered, as the models will not be thoroughly formatted during a factory reset. In the course of this month, the manufacturer wants to provide “services” for data recovery, presumably in the form of a recovery tool.
In addition, there should be a so-called trade-in program, in which an outdated hard drive from the My Book Live (Duo) series can be exchanged for a discount on a new network HDD. According to the manufacturer, the current WD firmware My Cloud OS 5 does not have the security gaps mentioned, but it is not installed on the old models.
If you use a My Book Live or My Book Live Duo, you should replace the network hard drive with a new model or NAS or continue to operate the HDD without an Internet connection. All copies run the risk of having installed a Trojan for years through the CVE-2018-18472 vulnerability.