Western Digital SSD Dashboard Setup, Privilege Escalation


WDC Tracking Number: WDC-20001
Product Line/Web:  WesternDigitalSSDDashboardSetup.exe and SanDiskSSDDashboardSetup.exe
Published: February 10, 2020

Last Updated: February 10, 2020

Description

The Western Digital and SanDisk SSD Dashboard installer versions prior to 3.0.2.0 have a DLL hijacking vulnerability. If an attacker knows which DLLs a program loads, a malicious DLL can be injected into the loading process. Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the system user. An update that addresses the vulnerability is available.

Product Impact
Last Updated
WesternDigitalSSDDashboardSetup.exe
February 10, 2020
SanDiskSSDDashboardSetup.exe
February 10, 2020

Update Availability/Remediation

To install or uninstall SanDisk SSD Dashboard or Western Digital SSD Dashboard, please download and run the latest version of the installer.

Advisory Summary

The affected versions of Western Digital and SanDisk SSD Dashboard installers are vulnerable to DLL search order hijacking, which allow malicious users to escalate user privileges upon execution of the installer. Using the updated installers to install or uninstall the application will mitigate this potential vulnerability.

CVE Number: CVE-2020-8959

Reported by: Eli Paz and Eran Shimony of Cyberark Labs.