Bugs in Western Digital SSD Utility puts users at risk

[German]Trivial bugs in Western Digital and SanDisk SSD management tools compromise the security of Windows users. This has been revealed by security researchers. But there is an update from the manufacturers.


Advertising

Trustwave security researchers have made the whole thing public in this blog post entitled 'SanDisk SSD Dashboard Vulnerabilities: CVE-2019-13466 & CVE-2019-13467' – Bleeping Computer reports here.

Encryption in Dashboard

The flaws are caused by the SSD Dashboard application used by Western Digital and SanDisk to manage the drives. Both applications are utility kits that allow users to monitor the performance of their SSDs, diagnose problems, and gather troubleshooting information. The packages include tools for SSD firmware updates and for reading drive details (model, capacity, SMART attributes).

Security researchers took a closer look at the tools when they installed an SSD. A string dump then revealed the CVE-2019-13466 vulnerability in the SanDiskSSDDashboard.exe application. The security researcher noticed a string in the code, which he then had monitored while using the tool in the Process Monitor. When calling the function "Generate Report File" to create a log file, the following call came into effect.

"C:/Program Files (x86)/SanDisk/SSD Dashboard/7za.exe"  a -tzip "C:/SSD_Dashboard_Report.zip" "C:/Users/martin/Desktop/SSD_Dashboard_Report_msinfo.txt" "C:/SSD_Dashboard_Report_msinfo.txt" -pS@nD!sk.1

7za.exe is the command line version of 7-zip and the -p switch provides encryption. The security researcher writes that the application uses a fixed password to protect the data in the report. This report should then be sent to SanDisk for review. In this context, "encryption" is worthless. A better approach would be to use a public key instead of a password, so that only SanDisk with an appropriate private key can decrypt the message. Meanwhile, the manufacturer has decided to abandon encryption altogether. Instead, they recommend that customers who need support manually share such reports with their customer service teams.


Advertising

Updates transmitted unencrypted

A bigger flaw is in the unencrypted transmission of updates for this utility, which has been assigned the vulnerability designation CVE-2019-13467. When the dashboard application requests available updates, it returns an XML file with the latest version number available for the utility.

<?xml version="1.0″?>
<lista xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Application_Installer>
    <version>2.3.3.0</version>
    <create_date>10/12/2018</create_date>
    <url>SanDiskSSDDashboardSetup.exe</url>
  </Application_Installer>

If the program version specified in the xml is larger than the current version, the app downloads and executes the executable file specified in the URL element. The statement is as follows:

http://wddashboarddownloads.wdc.com/Dashboard/config/lista_updater.xml

An http transmission is used, so it is trivial to attack users running this application in untrusted environments (e.g. via a public Internet hotspot). In particular, a malicious user can create a prepared hotspot that the computer dials into. Then a man-in-the-middle attack could be launched and malicious content could be delivered instead of the updates requested by the application. Whether there is a check for digital signatures, provide data.

The manufacturers released updates

After the security researcher passed the information on to the manufacturers, Sandisk solved the problem by switching to HTTPS. Western Digital and SanDisk SSD Dashboard users are advised to upgrade to at least version 2.5.1.0 as soon as possible to resolve these issues. For more information, visit the Western Digital Web site.


Advertising

This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).