WD Discovery, SanDisk ibi, and SanDisk Flashback - Remote Command Execution


WDC Tracking Number: WDC-19014
Product Line/Web:  WD Discovery, SanDisk ibi, SanDisk Flashback
Published: August 21, 2019

Last Updated: August 21, 2019

Description

WD Discovery, SanDisk ibi, and SanDisk Flashback were vulnerable to unauthenticated remote command execution with elevated privileges via the local LAN or by visiting a malicious website via the user’s browser. This vulnerability could be exploited to allow malware installation, discrete surveillance, ransomware, data destruction or other malicious attacks. This was addressed by ensuring that all three products are no longer listening on outside interfaces and by adding CSRF prevention.

Product Impact
Last Updated
WD Discovery Mac
August 21, 2019
WD Discovery Windows
August 21, 2019
Flashback for Mac
August 21, 2019
Flashback for Win
August 21, 2019
ibi Version
August 21, 2019

Advisory Summary

This vulnerability was addressed by ensuring that all three products are no longer listening on outside interfaces and by adding CSRF prevention.