ID

VAR-201906-0768


CVE

CVE-2018-18472


TITLE

Western Digital WD My Book Live operating system command injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-46467 // CNNVD: CNNVD-201810-1324

DESCRIPTION

Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,. Remote attackers can use this vulnerability to execute commands

Trust: 2.34

sources: NVD: CVE-2018-18472 // JVNDB: JVNDB-2018-015725 // CNVD: CNVD-2021-46467 // VULHUB: VHN-129035 // VULMON: CVE-2018-18472

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-46467

AFFECTED PRODUCTS

vendor:westerndigitalmodel:my book livescope:eqversion:*

Trust: 1.0

vendor:western digitalmodel:wd my book livescope: - version: -

Trust: 0.8

vendor:westernmodel:digital wd my book livescope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2021-46467 // JVNDB: JVNDB-2018-015725 // NVD: CVE-2018-18472

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-18472
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-18472
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2021-46467
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201810-1324
value: CRITICAL

Trust: 0.6

VULHUB: VHN-129035
value: HIGH

Trust: 0.1

VULMON: CVE-2018-18472
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-18472
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-46467
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-129035
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-18472
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2021-46467 // VULHUB: VHN-129035 // VULMON: CVE-2018-18472 // JVNDB: JVNDB-2018-015725 // CNNVD: CNNVD-201810-1324 // NVD: CVE-2018-18472

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-129035 // JVNDB: JVNDB-2018-015725 // NVD: CVE-2018-18472

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1324

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201810-1324

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-015725

PATCH

title:Top Pageurl:https://www.wdc.com

Trust: 0.8

title:notesurl:https://github.com/odolezal/notes

Trust: 0.1

title:Threatposturl:https://threatpost.com/zero-day-wipe-my-book-live/167422/

Trust: 0.1

title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/hackers-use-zero-day-to-mass-wipe-my-book-live-devices/

Trust: 0.1

title:The Registerurl:https://www.theregister.co.uk/2021/06/25/western_digital_nas_wiped/

Trust: 0.1

sources: VULMON: CVE-2018-18472 // JVNDB: JVNDB-2018-015725

EXTERNAL IDS

db:NVDid:CVE-2018-18472

Trust: 3.2

db:JVNDBid:JVNDB-2018-015725

Trust: 0.8

db:CNNVDid:CNNVD-201810-1324

Trust: 0.7

db:CNVDid:CNVD-2021-46467

Trust: 0.6

db:VULHUBid:VHN-129035

Trust: 0.1

db:VULMONid:CVE-2018-18472

Trust: 0.1

sources: CNVD: CNVD-2021-46467 // VULHUB: VHN-129035 // VULMON: CVE-2018-18472 // JVNDB: JVNDB-2018-015725 // CNNVD: CNNVD-201810-1324 // NVD: CVE-2018-18472

REFERENCES

url:https://www.wizcase.com/blog/hack-2018/

Trust: 2.6

url:https://nvd.nist.gov/vuln/detail/cve-2018-18472

Trust: 2.0

url:https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo

Trust: 1.8

url:https://community.wd.com/t/action-required-on-my-book-live-and-my-book-live-duo/268147

Trust: 1.8

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18472

Trust: 0.8

url:https://www.wdc.com

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/78.html

Trust: 0.1

url:https://github.com/odolezal/notes

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://threatpost.com/zero-day-wipe-my-book-live/167422/

Trust: 0.1

sources: CNVD: CNVD-2021-46467 // VULHUB: VHN-129035 // VULMON: CVE-2018-18472 // JVNDB: JVNDB-2018-015725 // CNNVD: CNNVD-201810-1324 // NVD: CVE-2018-18472

SOURCES

db:CNVDid:CNVD-2021-46467
db:VULHUBid:VHN-129035
db:VULMONid:CVE-2018-18472
db:JVNDBid:JVNDB-2018-015725
db:CNNVDid:CNNVD-201810-1324
db:NVDid:CVE-2018-18472

LAST UPDATE DATE

2024-11-23T22:06:10.157000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-46467date:2021-07-01T00:00:00
db:VULHUBid:VHN-129035date:2020-08-24T00:00:00
db:VULMONid:CVE-2018-18472date:2021-06-25T00:00:00
db:JVNDBid:JVNDB-2018-015725date:2019-06-26T00:00:00
db:CNNVDid:CNNVD-201810-1324date:2021-06-30T00:00:00
db:NVDid:CVE-2018-18472date:2024-11-21T03:55:59.670

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-46467date:2021-07-01T00:00:00
db:VULHUBid:VHN-129035date:2019-06-19T00:00:00
db:VULMONid:CVE-2018-18472date:2019-06-19T00:00:00
db:JVNDBid:JVNDB-2018-015725date:2019-06-26T00:00:00
db:CNNVDid:CNNVD-201810-1324date:2018-10-29T00:00:00
db:NVDid:CVE-2018-18472date:2019-06-19T16:15:10.703