WD My Book Live has a small CVE


Western Digital WD My Book Live (all versions) has a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device.

I don’t know if UPnP was involved here, but I’m guessing it was?

Backups are a place where rule of ‘2 is 1 and 1 is none’ certainly applies. Hell of a bug guys, good job WD.

I scared myself good the other day shuffling files around via linux terminal way to late at night. Now I’m working on improving my Rsync scripts for better automated backups and I went and copied a bunch of important stuff to a 500gb HDD I had around and labelled it ‘offline backups #1’.

2 is 1 and 1 is none but remember if the backup is “online” it doesn’t count. And you can read online to mean BOTH cloud backups and a disk actively connected to a computer or the internet.

Offline backups and multiples are the way to go (beyond snapshots and other things)

…also having multiple offline backups stored in the same physical location doesn’t improve things much over a single offline backup either.

Make sure your offline backups are reasonably well encrypted, then ideally store one or two copies with friends - rotating periodically so they don’t get too out of date. At the very least don’t keep them in the same building.

You can bring the cost of such strategies down a bit with bare drives:

For desktops: https://www.amazon.com/dp/B007Q4EZEA/
For laptops: https://www.amazon.com/dp/B07B3S5FSF/ (I haven’t used this specific one, but it appears to be a more modern version of one I’ve been using for a long time.)

Even just throwing a backup disk in your car may be enough “offsite” for most people, especially if you reliably rotate it.

Apparently it wasn’t the old CVE, it was a new one. But the bug has been around since a code refactor in 2011…