Advisory Summary
In the following configurations, a vulnerability in the access control mechanism of the drive may allow data to be decrypted without knowledge of proper authentication credentials.
- If the Opal SSC is activated and configured with more than one LBA range enabled, and at least one range does not have read or write locking enabled, the contents of any ranges with both read and write locking enabled may be decrypted through an improperly protected intermediate key.
- If the Opal SSC was previously activated on the drive, then deactivated, and the ATA security feature set is enabled on the drive, the contents of the drive may be decrypted through an improperly protected intermediate key.
- If the ATA security feature set is enabled in the Maximum mode, the Master password may be used to decrypt the content of the drive through an improperly protected intermediate key.
Western Digital periodically retains the services of third-party firms to audit and test the security of our products. For this firmware patch, the security firm Trail of Bits was engaged to review the changes made to the cryptographic access control mechanism. In order to provide transparency to our customers, we have elected to make a summary of the audit report available to the public.
Mitigation
The following mitigations are available for this issue:
- Install the firmware patch available for your SSD. For drives configured using TCG Opal, the access control mechanism will be updated upon first power on of the drive following installation of the update. For drives configured using ATA security, the access control mechanism will be updated upon first unlock fo the drive following the update.
- If the firmware patch cannot be installed, for drives configured using TCG Opal, ensure that all ranges on the disk are configured with read and write locking enabled.
- If the firmware patch cannot be installed, for drives configured using ATA security, ensure that the drive is configured using the High mode.
- Use software encryption.
