Multiple vulnerabilities in SanDisk X600 SATA SED SSD
WDC Tracking Number: WDC-19006
Published: May 20, 2019
Last Updated: May 23, 2019
Description
The SanDisk X600 SATA SED SSD is vulnerable to an attack where data stored and encrypted by the device may be decrypted without knowledge of proper authentication credentials. Additionally, the device is vulnerable to an attack where inauthentic firmware updates may be installed. A firmware update that addresses the protection of data stored on the drive is available.
Update Availability:
To install the firmware update on the following model numbers, please download and install the SanDisk SSD Dashboard:
- SD9TB8W-XXXX-1122
- SD9TN8W-XXXX-1122
- SD9TB8W-XXXX (no extension code)
- SD9TN8W-XXXX (no extension code)
In the SanDisk SSD Dashboard application, select Tools/Firmware Update to check for and update the firmware on your drive.
For all other impacted model numbers, please contact your system vendor for the applicable firmware update.
Tracking number: WDC-19006
Advisory Summary
In the following configurations, a vulnerability in the access control mechanism of the drive may allow data to be decrypted without knowledge of proper authentication credentials.
- If the Opal SSC is activated and configured with more than one LBA range enabled, and at least one range does not have read or write locking enabled, the contents of any ranges with both read and write locking enabled may be decrypted through an improperly protected intermediate key.
- If the Opal SSC was previously activated on the drive, then deactivated, and the ATA security feature set is enabled on the drive, the contents of the drive may be decrypted through an improperly protected intermediate key.
- If the ATA security feature set is enabled in the Maximum mode, the Master password may be used to decrypt the content of the drive through an improperly protected intermediate key.
Western Digital periodically retains the services of third-party firms to audit and test the security of our products. For this firmware patch, the security firm Trail of Bits was engaged to review the changes made to the cryptographic access control mechanism. In order to provide transparency to our customers, we have elected to make a summary of the audit report available to the public.
Mitigation
The following mitigations are available for this issue:
- Install the firmware patch available for your SSD. For drives configured using TCG Opal, the access control mechanism will be updated upon first power on of the drive following installation of the update. For drives configured using ATA security, the access control mechanism will be updated upon first unlock fo the drive following the update.
- If the firmware patch cannot be installed, for drives configured using TCG Opal, ensure that all ranges on the disk are configured with read and write locking enabled.
- If the firmware patch cannot be installed, for drives configured using ATA security, ensure that the drive is configured using the High mode.
- Use software encryption.
CVE Number: CVE-2019-10705
Reported by: Carlo Meijer (Radboud University, the Netherlands) and Bernard van Gastel (Radboud University, the Netherlands, Open University of the Netherlands)
Advisory Summary
A vulnerability in the wear-leveling algorithm of the drive may cause cryptographically sensitive parameters (such as data encryption keys) to remain on the drive media after their intended erasure.
Mitigation:
- Install the firmware patch available for your SSD.
- Use software encryption.
CVE Number: CVE-2019-11686
Reported by: Carlo Meijer (Radboud University, the Netherlands) and Bernard van Gastel (Radboud University, the Netherlands, Open University of the Netherlands)
Western Digital
Advisory Summary
The firmware update authentication method for affected devices relies on a symmetric HMAC digest. The key used to validate this digest is present in a protected area of the device, and if extracted could be used to install arbitrary firmware to any X600 device except those listed below.
The following model numbers are not affected by this issue:
- SD9TB8W-XXXX-1006
- SD9TN8W-XXXX-1006
CVE Number: CVE-2019-10706
Reported by: Carlo Meijer (Radboud University, the Netherlands) and Bernard van Gastel (Radboud University, the Netherlands, Open University of the Netherlands)
Advisory Summary
A vulnerability in the secure boot scheme may allow internally protected parameters to be extracted.
CVE Number: CVE-2019-10636
Reported by: Carlo Meijer (Radboud University, the Netherlands) and Bernard van Gastel (Radboud University, the Netherlands, Open University of the Netherlands)