WDC Tracking Number: WDC-22012
Product Line: SanDisk ibi
Published: August 29, 2022
Last Updated: August 29, 2022
SanDisk ibi firmware version 8.9.0-108 is a major release containing updates to help improve the security of your SanDisk ibi devices. Numerous changes were made to the operating system to comprehensively improve its security and to upgrade the user experience to support our latest technologies.
The base operating system has been upgraded from an Android based operating system to the Linux operating system to align with security and stability updates from Debian 10 “Buster”.
Additionally, the Linux kernel has been updated to 4.9.266.
Your SanDisk ibi devices will be automatically updated to reflect the latest firmware version.
For more information on the latest security updates, see the release notes.
A vulnerability in the Linux kernel’s cgroup_release_agent_write was addressed that could lead to escalation of privileges and bypass namespace isolation unexpectedly.
CVE Number: CVE-2022-0492
Addressed an issue in OpenSSL that would make it possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing takes place before the certificate signature verification process, this could lead to a denial-of-service attack.
CVE Number: CVE-2022-0778
Addressed a memory copy vulnerability in the Linux Wi-Fi driver.
Addressed a command injection attack that could allow a malicious attacker on the same LAN to carry out a DNS spoofing attack via an unsecured HTTP call. This was done by removing the affected code from the product.
Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.
CVE Number: CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291
Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.9-0+deb10u1.
Implemented firmware signing to prevent malicious modifications to the firmware and verify the firmware’s authenticity and integrity.
Transitioned to Go’s crypto/tls library for secure communications.
Enabled several kernel hardening options to make exploits of kernel and userland security bugs more difficult to develop.
Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices. Implemented protections on AWS credentials that were not properly protected.
CVE Number: CVE-2022-22997, CVE-2022-22998
Addressed multiple libtiff null pointer dereference vulnerabilities by updating the version to 4.4.0.
CVE Number: CVE-2022-0562, CVE-2022-0561, CVE-2022-0865
Addressed an improper input validation and out-of-bounds write vulnerability in TensorFlow which is an open-source platform for machine learning. An attacker could pass negative values to cause a segmentation fault-based denial-of-service attack. Certain components also did not validate input arguments which could also trigger a denial-of-service attack.
CVE Number: CVE-2022-29191, CVE-2022-29213, CVE-2022-29208