Multiple vulnerabilities in SanDisk X300, X300s, and X400 SATA SED SSD devices


WDC Tracking Number: WDC-19007
Published: May 23, 2019

Last Updated: May 23, 2019

Description

The SanDisk X300, X300s and X400 SATA SED SSD devices are vulnerable to an attack where data stored and encrypted by the device may be decrypted without knowledge of proper authentication credentials. Additionally, the affected devices are vulnerable to an attack where inauthentic firmware updates may be installed.

Product Impact
Last Updated
SD7TB6S-XXXX-XXXX
May 23, 2019
SD7TB7S-XXXX-XXXX
May 23, 2019
SD7TN6S-XXXX-XXXX
May 23, 2019
SD7UB2Q-XXXX-XXXX
May 23, 2019
SD7UB3Q-XXXX-XXXX
May 23, 2019
SD7UN3Q-XXXX-XXXX
May 23, 2019
SD8TB8U-XXXX-XXXX
May 23, 2019

Advisory Summary

There is no cryptographic relation between the password provided by the end user and the key used for encryption of user data. The key used for encryption of user data is protected by an internal parameter of the drive, and if extracted, could allow data to be decrypted without knowledge of proper authentication credentials.

Mitigation: Use software encryption.

CVE Number: CVE-2018-12037
Reported by: Carlo Meijer (Radboud University, the Netherlands) and Bernard van Gastel (Radboud University, the Netherlands, Open University of the Netherlands)

A vulnerability in the wear-leveling algorithm of the drive may cause cryptographically sensitive parameters (such as data encryption keys) to remain on the drive media after their intended erasure.

Mitigation: Use software encryption.

CVE Number: CVE-2019-11686
Reported by: Carlo Meijer (Radboud University, the Netherlands) and Bernard van Gastel (Radboud University, the Netherlands, Open University of the Netherlands)
Western Digital

The firmware update authentication method for affected devices relies on a symmetric HMAC digest. The key used to validate this digest is present in a protected area of the device, and if extracted could be used to install arbitrary firmware to other devices.

CVE Number: CVE-2019-10706
Reported by: Carlo Meijer (Radboud University, the Netherlands) and Bernard van Gastel (Radboud University, the Netherlands, Open University of the Netherlands)

A vulnerability in the secure boot scheme may allow internally protected parameters to be extracted. This vulnerability affects the following drive model numbers, which use secure boot to protect key material stored internally to the drive:

  • SD8TB8U-XXXX-XXXX
  • SD8TN8U-XXXX-XXXX

CVE Number: CVE-2019-10636
Reported by: Carlo Meijer (Radboud University, the Netherlands) and Bernard van Gastel (Radboud University, the Netherlands, Open University of the Netherlands)