A utility program for managing SanDisk solid-state drives (SSDs) has two security vulnerabilities in it that heighten data loss risks for organizations using the application.
One of the vulnerabilities in SanDisk's SSD Dashboard gives attackers a way to install malware disguised as legitimate updates on systems running the software.
The flaw (CVE-2019-13467) has to do with the fact that the SSD Dashboard uses HTTP, rather than HTTPS, for updates and other resource downloads, Trustwave said in a blog post Wednesday. This makes it trivial for attackers to target users running the application, the security vendor said.
A typical attack would be a man-in-the-middle approach in which a rogue server could pretend to be an official SanDisk server offering a new update when what it's actually doing is serving up malware such as ransomware or a banking Trojan. "This could be done by gaining a foothold in the network, hijacking DNS lookups, or trolling public networks like cafes and airports," says Karl Sigler, manager of threat intelligence at Trustwave.
The other weakness that Trustwave discovered in the SSD Dashboard is tied to the use of a hard-coded password for protecting archived customer-generated system and diagnostic reports. The password completely negates the benefit of encrypting the data when it is sent to SanDisk for examination.
The hard-coded password vulnerability isn't quite as severe as the HTTPS issues, Sigler says. Even so, error reports can often contain confidential information, he says. "An attacker that can gain access to an error report would be able to decrypt i ..
Support the originator by clicking the read the rest link below.
