We have reviewed log files which we have received from affected customers to understand and characterize the attack. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php, resulting in the vulnerability.
The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. We have determined that the unauthenticated factory reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware. We have heard concerns about the nature of this vulnerability and are sharing technical details to address these questions. The company also provided new technical details about the zeroday, which is now being tracked as CVE-2021-35941. A spokeswoman said the data recovery service will be free of charge. My Book Live customers will also be eligible for a trade-in program so they can upgrade to My Cloud devices.
#Descargar into the dead 2 hackeado 2018 update#
Update, 9:00 PM: Western Digital has published an update that says the company will provide data recovery services starting early next month.