Lenovo Security Advisory: LEN-25256
Potential Impact: Information disclosure
Severity: Medium
Scope of Impact: Industry-wide
CVE Identifier: CVE-2018-12037, CVE-2018-12038, CVE-2019-10636, CVE-2019-10705, CVE-2019-10706, CVE-2019-11686
Summary Description:
As reported in CERT Coordination Center Vulnerability Note VU#395981, researchers from Radboud University in the Netherlands have discovered vulnerabilities in self-encrypting drives. Vendors have made us aware of vulnerabilities which require physical access to the drive. The vulnerable drive families are listed in the Affected Drives section.
Mitigation Strategy for Customers (what you should do to protect yourself):
If you are using software encryption, you are not affected by these vulnerabilities even if your SED hardware is vulnerable.
Download and run the SED_checker tool available here to determine if your system is vulnerable.
For vulnerable systems:
Affected Drives:
Crucial (Micron) MX100, MX200 and MX300 drives (Lenovo did not ship)
HGST Travel Star Jaguar C7
Lenovo AH6661, AM6671
Lite-On CA3, CV3, L9G, L9S, M6G, M6S, V2G, V2S
Micron 1100, M600
Samsung 840 EVO, 850 EVO, T3, T5 (Lenovo did not ship)
Samsung CM871, PM851, PM871, SM951
Sandisk X300, X300S, X400, X600