Sign-up

ID

VAR-201906-0768


CVE

CVE-2018-18472


TITLE

Western Digital WD My Book Live operating system command injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-46467 // CNNVD: CNNVD-201810-1324

DESCRIPTION

Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,. Remote attackers can use this vulnerability to execute commands

Trust: 2.34

sources: NVD: CVE-2018-18472 // JVNDB: JVNDB-2018-015725 // CNVD: CNVD-2021-46467 // VULHUB: VHN-129035 // VULMON: CVE-2018-18472

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-46467

AFFECTED PRODUCTS

vendor:westerndigitalmodel:my book livescope:eqversion:*

Trust: 1.0

vendor:western digitalmodel:wd my book livescope: - version: -

Trust: 0.8

vendor:westernmodel:digital wd my book livescope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2021-46467 // JVNDB: JVNDB-2018-015725 // NVD: CVE-2018-18472

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-18472
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-18472
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2021-46467
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201810-1324
value: CRITICAL

Trust: 0.6

VULHUB: VHN-129035
value: HIGH

Trust: 0.1

VULMON: CVE-2018-18472
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-18472
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-46467
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-129035
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-18472
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2021-46467 // VULHUB: VHN-129035 // VULMON: CVE-2018-18472 // JVNDB: JVNDB-2018-015725 // CNNVD: CNNVD-201810-1324 // NVD: CVE-2018-18472

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-129035 // JVNDB: JVNDB-2018-015725 // NVD: CVE-2018-18472

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1324

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201810-1324

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015725

PATCH
title:Top Pageurl:https://www.wdc.com
Trust: 0.8
title:notesurl:https://github.com/odolezal/notes 
Trust: 0.1
title:Threatposturl:https://threatpost.com/zero-day-wipe-my-book-live/167422/
Trust: 0.1
title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/hackers-use-zero-day-to-mass-wipe-my-book-live-devices/
Trust: 0.1
title:The Registerurl:https://www.theregister.co.uk/2021/06/25/western_digital_nas_wiped/
Trust: 0.1
sources:
            
            
            VULMON: CVE-2018-18472 // 
            
            
            
            JVNDB: JVNDB-2018-015725

EXTERNAL IDS
db:NVDid:CVE-2018-18472
Trust: 3.2
db:JVNDBid:JVNDB-2018-015725
Trust: 0.8
db:CNNVDid:CNNVD-201810-1324
Trust: 0.7
db:CNVDid:CNVD-2021-46467
Trust: 0.6
db:VULHUBid:VHN-129035
Trust: 0.1
db:VULMONid:CVE-2018-18472
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2021-46467 // 
            
            
            
            VULHUB: VHN-129035 // 
            
            
            
            VULMON: CVE-2018-18472 // 
            
            
            
            JVNDB: JVNDB-2018-015725 // 
            
            
            
            CNNVD: CNNVD-201810-1324 // 
            
            
            
            NVD: CVE-2018-18472

REFERENCES
url:https://www.wizcase.com/blog/hack-2018/
Trust: 2.6
url:https://nvd.nist.gov/vuln/detail/cve-2018-18472
Trust: 2.0
url:https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo
Trust: 1.8
url:https://community.wd.com/t/action-required-on-my-book-live-and-my-book-live-duo/268147
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18472
Trust: 0.8
url:https://www.wdc.com
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/78.html
Trust: 0.1
url:https://github.com/odolezal/notes
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://threatpost.com/zero-day-wipe-my-book-live/167422/
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2021-46467 // 
            
            
            
            VULHUB: VHN-129035 // 
            
            
            
            VULMON: CVE-2018-18472 // 
            
            
            
            JVNDB: JVNDB-2018-015725 // 
            
            
            
            CNNVD: CNNVD-201810-1324 // 
            
            
            
            NVD: CVE-2018-18472

SOURCES
db:CNVDid:CNVD-2021-46467
db:VULHUBid:VHN-129035
db:VULMONid:CVE-2018-18472
db:JVNDBid:JVNDB-2018-015725
db:CNNVDid:CNNVD-201810-1324
db:NVDid:CVE-2018-18472

LAST UPDATE DATE
2024-08-14T15:43:43.338000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2021-46467date:2021-07-01T00:00:00
db:VULHUBid:VHN-129035date:2020-08-24T00:00:00
db:VULMONid:CVE-2018-18472date:2021-06-25T00:00:00
db:JVNDBid:JVNDB-2018-015725date:2019-06-26T00:00:00
db:CNNVDid:CNNVD-201810-1324date:2021-06-30T00:00:00
db:NVDid:CVE-2018-18472date:2021-06-25T10:15:08.137

SOURCES RELEASE DATE
db:CNVDid:CNVD-2021-46467date:2021-07-01T00:00:00
db:VULHUBid:VHN-129035date:2019-06-19T00:00:00
db:VULMONid:CVE-2018-18472date:2019-06-19T00:00:00
db:JVNDBid:JVNDB-2018-015725date:2019-06-26T00:00:00
db:CNNVDid:CNNVD-201810-1324date:2018-10-29T00:00:00
db:NVDid:CVE-2018-18472date:2019-06-19T16:15:10.703