ATA interface software may not properly handle ATA security features

2012-06-21T00:00:00
ID VU:964064
Type cert
Reporter CERT
Modified 2012-06-21T00:00:00

Description

Overview

ATA interface software, including multiple system board BIOS implementations do not adequately manage the ATA hard drive security mode. An attacker may be able to manipulate this situation to completely lock a hard drive resulting in an almost unrecoverable denial-of-service condition

Description

ATA compliant devices may include the ability to a 32 byte password to prevent data on a device from being disclosed to unauthorized parties. Once set, the password must be entered via the ATA interface software at boot time or the drive will lock itself. When a system is booted the ATA compliant drive should validate the password, if it has been set. Next, the ATA interface software should issue the SECURITY FREEZE LOCK command to prevent changes to the password until the system is rebooted. Please note that if the security features are supported by a ATA compliant drive, they are inactive until a password is set with the SECURITY SET PASSWORD command. Many different system components may have the ability to issue ATA commands, including the system board BIOS, add-in cards, operating system drivers, and software utilities.

However, if a system does not properly handle the ATA security features, then it is likely that that system does not issue the SECURITY FREEZE LOCK command. If an attacker can gain the privileges needed to issue ATA commands on a system, and that system does not issue the SECURITY FREEZE LOCK command, that attacker may be able to arbitrarily set the password for that drive. Once the password is set, the next time the system is rebooted the system's drive will remain in a locked state until the password is provided. A locked hard drive will ignore commands such as those used to read, write, or erase data. This results in a complete denial-of-service condition.

We believe that vendors who have the ability to issue ATA commands should issue the SECURITY FREEZE LOCK command for every ATA connected device at the earliest possible moment. Given this, we have marked vendors that issue the SECURITY FREEZE LOCK command as not vulnerable.


Impact

If an attacker can change the ATA password on an ATA device, that attacker can completely lock the device, making all the data on the device inaccessible.


Solution

Upgrade ATA Software
Install or upgrade BIOS, firmware, or ATA drivers that properly issue the SECURITY FREEZE LOCK command.


Vendor Information

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Check Point Software Technologies| | 18 Aug 2005| 25 Oct 2005
Hitachi| | 18 Aug 2005| 13 Oct 2005
NextHop Technologies, Inc.| | 18 Aug 2005| 18 Oct 2005
OpenBSD| | 18 Aug 2005| 21 Jun 2012
3com, Inc.| | 18 Aug 2005| 18 Aug 2005
Alcatel| | 18 Aug 2005| 18 Aug 2005
American Megatrends Incorporated (AMI)| | 18 Aug 2005| 18 Aug 2005
AMI| | -| 08 Jun 2005
Apple Computer, Inc.| | 18 Aug 2005| 18 Aug 2005
AT&T;| | 18 Aug 2005| 18 Aug 2005
Avaya, Inc.| | 18 Aug 2005| 18 Aug 2005
Avici Systems, Inc.| | 18 Aug 2005| 18 Aug 2005
Charlotte's Web Networks| | 18 Aug 2005| 18 Aug 2005
Chiaro Networks, Inc.| | 18 Aug 2005| 18 Aug 2005
Cisco Systems, Inc.| | 18 Aug 2005| 18 Aug 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 4.7 | AV:L/AC:M/Au:N/C:N/I:N/A:C
Temporal | 3.8 | E:POC/RL:TF/RC:C
Environmental | 2.9 | CDP:ND/TD:M/CR:ND/IR:H/AR:ND

References

  • <http://www.heise.de/artikel-archiv/ct/2005/08/172>
  • <http://www.heise.de/ct/english/05/08/172/>
  • <http://www.freerepublic.com/focus/f-chat/1376364/posts>
  • <http://lists.freebsd.org/pipermail/freebsd-hackers/2005-April/011318.html>
  • <http://forums.macnn.com/90/mac-os-x/257495/major-ata-security-risk-apple-computers/>
  • <http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ata/wd.c#rev1.43>

Credit

This issue was published in an article in c't . Thanks also to Seagate for expert advice.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: Unknown
  • Date Public: 02 Apr 2005
  • Date First Published: 21 Jun 2012
  • Date Last Updated: 21 Jun 2012
  • Severity Metric: 2.25
  • Document Revision: 72