6.3 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
55.3%
There are multiple vulnerabilities in implementations of ATA Security or TCG Opal Standards in Self-Encrypting Disks (SEDs), which can allow an attacker to decrypt contents of an encrypted drive.
There is no cryptographic relation between the password provided by the end user and the key used for the encryption of user data. This can allow an attacker to access the key without knowing the password provided by the end user, allowing the attacker to decrypt information encrypted with that key.
According to National Cyber Security Centre - The Netherlands (NCSC-NL), the following products are affected by CVE-2018-12037:
CVE-2018-12038
Key information is stored within a wear-leveled storage chip. Wear-leveling does not guarantee that an old copy of updated data is fully removed. If the updated data is written to a new segment, old versions of data may exist in the previous segment for some time after it has been updated (until that previous segment is overwritten). This means that if a key is updated with a new password, the previous version of the key (either unprotected, or with an old password) could be accessible, negating the need to know the updated password.
According to NCSC-NL, the following products are affected by CVE-2018-12038:
These vulnerabilities allow for full recovery of the data without knowledge of any secret, when the attacker has physical access to the drive.
Apply patches
Vendors have issued patches to address the vulnerabilities. See the Vendor pages below for additional information.
If patches are not able to be deployed, consider the following workarounds:
Do not use drive-based encryption
Use software-based encryption rather than the hardware-based encryption provided by self-encrypting drives.
Additional Information:
According to NCSC-NL, BitLocker as bundled with Microsoft Windows relies on hardware full-disk encryption by default if the drive indicates that it can support this.
To determine whether BitLocker is using hardware-based encryption or software-based encryption:
BitLockerโs default encryption method can be controlled with Group Policy settings. Configure these settings to force BitLocker to use software-based encryption by default. Once these policy settings have been changed, BitLocker needs to be disabled and re-enabled to re-encrypt the drive with software-based encryption (if not already using software-based encryption).
Group policy links to control hardware-based BitLocker encryption:
395981
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 11, 2019 Updated: May 21, 2019
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: November 06, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: November 07, 2018
Affected
Encryption with BitLocker depends on the correct setting of the Group Policy. More information about this Group Policy can be found via the following location (Microsoft URL). Changing the default setting is not sufficient to mitigate the risk because it does not affect the vulnerability in already encrypted data. Only a complete new installation, including removal and reformatting of data, enforces encryption via BitLocker.
For details, please see the vendorโs web page.
Updated: May 16, 2019
Affected
**For non-portable SSDs:**We recommend installing encryption software (freeware available online) that is compatible with your system.
**For portable SSDs:**We recommend updating the firmware on your device.
For further information please see Consumer Notice regarding Samsung SSDs.
Notified: March 13, 2019 Updated: May 20, 2019
Statement Date: May 07, 2019
Affected
See statement from Western Digital.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: May 20, 2019
Statement Date: May 14, 2019
Affected
A firmware update to address issues related to the protection of data at rest on the SanDisk X600 SED SSD is available. For details on the issues addressed by this update and availability information, please see the bulletin on the Western Digital product security portal at https://www.westerndigital.com/support/productsecurity/wdc-19006-sandisk-x600-sata-ssd.
CVE Numbers: CVE-2019-10705, CVE-2019-11686, CVE-2019-10706, CVE-2019-10636
Notified: March 13, 2019 Updated: April 04, 2019
Statement Date: April 02, 2019
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: May 20, 2019
Statement Date: May 17, 2019
Not Affected
Self-Encrypting Solid-State Drive Research Study: VU#395981, CVE-2018-12037,
CVE-2018-12038
All Seagate Secureโข TCG Enterprise SSC and TCG Opal SSC based SED and FIPS
devices across all interfaces (SAS, SATA and NVMe) provide certified
mitigations to the threats referenced in the recent research study entitled
โSelf-encrypting deception: weaknesses in the encryption of solid-state drives
(SSDs)โ by Carlo Meijer and Bernard van Gastel at Radboud University in the
Netherlands. Specifically, the threats referenced in this study are:
Password and DEK not linked
Single DEK used for the entire disk
Lack of entropy in randomly generated DEKs
Wear leveling, power-saving mode (e.g. DEVSLP)
General implementation issues (i.e. incorrect crypto usage)
JTAG access
Vendor diagnostic commands access
Arbitrary unsigned code execution, and
Same intermediate encryption key for all MEKs
These threats are addressed in Seagate Secure SED and FIPS devices which are
thoroughly validated by independent labs that certify Seagate Secure products
against the FIPS 140 Standard and Common Criteria FDE Encryption Engine profile.
Seagate leads the industry with security certifications and transparency as a
result of our FIPS 140 and Common Criteria Certificates and corresponding
Seagate Secure Security Policies. These certifications provide public
visibility to the implemented security policies and assurance that device
protection, cryptography and key management are implemented to publicly
recognized security standards.
Common Criteria Certificate - CCEVS-VR-VID10857-2018
FIPS 140 Certificate Examples - #3316, #3252, #2634 (Refer to Seagate website
for additional certificates)
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 10, 2019 Updated: May 16, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: March 13, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 13, 2019 Updated: May 16, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 22 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 4.7 | AV:L/AC:M/Au:N/C:C/I:N/A:N |
Temporal | 3.7 | E:POC/RL:OF/RC:C |
Environmental | 4.0 | CDP:ND/TD:M/CR:H/IR:ND/AR:ND |
Thanks to Carlo Meijer and Bernard van Gastel for reporting these vulnerabilities and the National Cyber Security Centre of the Netherlands for leading the coordination of this vulnerability.
This document was written by Trent Novelly and Laurie Tyzenhaus.
CVE IDs: | [CVE-2018-12037 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2018-12037 >), CVE-2018-12038, CVE-2019-10705, CVE-2019-10706, [CVE-2019-10636 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-10636 >), [CVE-2019-11686 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11686 >) |
---|---|
Date Public: | 2018-11-05 Date First Published: |
docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#configure-use-of-hardware-based-encryption-for-fixed-data-drives
docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdefxd
docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdeosd
docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hderdd
portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180028
support.lenovo.com/us/en/product_security/LEN-25256
www.crucial.com/usa/en/support-ssd-firmware/
www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/beveiligingsadviezen/NCSC-2018-0984+1.00+Meerdere+kwetsbaarheden+ontdekt+in+implementaties+Self-Encrypting+Drives.html
www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/
www.ru.nl/publish/pages/909282/draft-paper.pdf
www.samsung.com/semiconductor/minisite/ssd/support/consumer-notice/
www.westerndigital.com/support/productsecurity/wdc-19006-sandisk-x600-sata-ssd
6.3 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
55.3%