[German]Trivial bugs in Western Digital and SanDisk SSD management tools compromise the security of Windows users. This has been revealed by security researchers. But there is an update from the manufacturers.
Advertising
Trustwave security researchers have made the whole thing public in this blog post entitled 'SanDisk SSD Dashboard Vulnerabilities: CVE-2019-13466 & CVE-2019-13467' – Bleeping Computer reports here.
Encryption in Dashboard
The flaws are caused by the SSD Dashboard application used by Western Digital and SanDisk to manage the drives. Both applications are utility kits that allow users to monitor the performance of their SSDs, diagnose problems, and gather troubleshooting information. The packages include tools for SSD firmware updates and for reading drive details (model, capacity, SMART attributes).
Security researchers took a closer look at the tools when they installed an SSD. A string dump then revealed the CVE-2019-13466 vulnerability in the SanDiskSSDDashboard.exe application. The security researcher noticed a string in the code, which he then had monitored while using the tool in the Process Monitor. When calling the function "Generate Report File" to create a log file, the following call came into effect.
"C:/Program Files (x86)/SanDisk/SSD Dashboard/7za.exe" a -tzip "C:/SSD_Dashboard_Report.zip" "C:/Users/martin/Desktop/SSD_Dashboard_Report_msinfo.txt" "C:/SSD_Dashboard_Report_msinfo.txt" -pS@nD!sk.1
7za.exe is the command line version of 7-zip and the -p switch provides encryption. The security researcher writes that the application uses a fixed password to protect the data in the report. This report should then be sent to SanDisk for review. In this context, "encryption" is worthless. A better approach would be to use a public key instead of a password, so that only SanDisk with an appropriate private key can decrypt the message. Meanwhile, the manufacturer has decided to abandon encryption altogether. Instead, they recommend that customers who need support manually share such reports with their customer service teams.
Advertising
Updates transmitted unencrypted
A bigger flaw is in the unencrypted transmission of updates for this utility, which has been assigned the vulnerability designation CVE-2019-13467. When the dashboard application requests available updates, it returns an XML file with the latest version number available for the utility.
<?xml version="1.0″?>
<lista xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Application_Installer>
<version>2.3.3.0</version>
<create_date>10/12/2018</create_date>
<url>SanDiskSSDDashboardSetup.exe</url>
</Application_Installer>
If the program version specified in the xml is larger than the current version, the app downloads and executes the executable file specified in the URL element. The statement is as follows:
http://wddashboarddownloads.wdc.com/Dashboard/config/lista_updater.xml
An http transmission is used, so it is trivial to attack users running this application in untrusted environments (e.g. via a public Internet hotspot). In particular, a malicious user can create a prepared hotspot that the computer dials into. Then a man-in-the-middle attack could be launched and malicious content could be delivered instead of the updates requested by the application. Whether there is a check for digital signatures, provide data.
The manufacturers released updates
After the security researcher passed the information on to the manufacturers, Sandisk solved the problem by switching to HTTPS. Western Digital and SanDisk SSD Dashboard users are advised to upgrade to at least version 2.5.1.0 as soon as possible to resolve these issues. For more information, visit the Western Digital Web site.
