Western Digital, SanDisk warn of SSD Dashboard vulnerabilities

Western Digital and its SanDisk subsidiary have warned users of a security flaw in their SSD Dashboard utility software - advising that a patch be installed pronto.

In a security disclosure by Trustwave's Martin Rakhmanov, which has only been made public since SanDisk was privately alerted and given chance to patch the flaw, major issues were discovered in the SandDisk SSD Dashboard software, which turn out to also apply to the Western Digital branded version of the same utility. 'The app uses a hard-coded password to protect customer report data which then supposed to be sent to SanDisk for examination,' Rakhmanov explains. 'Needless to say, this "encryption" has no value.

'The second vulnerability (CVE-2019-13467) is more severe. Using a network capture running on the same computer as the app, it was clear that the application uses HTTP instead of HTTPS for communication with SanDisk site. This makes it trivial to attack users running this application in untrusted environments (e.g. using public internet hotspot). Specifically, a malicious user can create a rouge [sic] hotspot that the computer will join or launch a man-in-the-middle attack and then serve malicious content instead of the data requested by the app. If the version in the XML is greater than current app version, the app will download and run the executable specified in the URL element. It would be incredibly easy to manipulate those values. In an attack scenario an unsuspecting user would be prompted to update the app but would end up running any arbitrary code or malware that the attacker wanted.'

Western Digital, which has owned SanDisk since 2016, was alerted to the vulnerabilities in mid-April, then released a patch early last month for both the Western Digital and SanDisk SSD Dashboard applications. The updated utilities, available from the official website, solve the vulnerabilities thusly: The insecure data transmission is worked around by disabling the uploading of encrypted data altogether and leaving the user responsible for securing a dump before sending it to the companies' support departments via email; and the update system has been switched to use an encrypted and validated HTTPS connection.