SanDisk and Western Digital SSD Dashboard Vulnerabilities


WDC Tracking Number: WDC-19009
Published: July 11, 2019

Last Updated: July 11, 2019

Description

The Western Digital and SanDisk SSD Dashboard applications are potentially vulnerable to man-in-the-middle attacks when the applications download resources from the Dashboard web service. This vulnerability may allow an attacker to substitute downloaded resources with arbitrary files. Additionally, the “generate reports” archive is protected with a hard-coded password. An application update that addresses the protection of resource downloads and archive encryption is available.

Product Impact
Last Updated
Western Digital SSD Dashboard
July 11, 2019
SanDisk SSD Dashboard
July 11, 2019

Update Availability

To install the software update, please download and install the latest SanDisk SSD Dashboard or Western Digital SSD Dashboard

Advisory Summary

The Western Digital and SanDisk SSD Dashboard applications rely on HTTP for resource downloads from Dashboard’s web service. Installing the updated application will ensure the application uses HTTPS for resource downloads.

CVE Number: CVE-2019-13467

The Western Digital and SanDisk SSD Dashboard applications provide a function to generate system information reports for diagnosing issues, which uses a hard-coded password to archive the report files. Given the use case for these reports, the updated application will no longer encrypt the system information report files, and customers requiring support should instead directly share such reports with our Customer Support teams only.

CVE Number: CVE-2019-13466