Flaws in SanDisk SSD Dashboard present malware and data loss risks. This article talks about what these flaws are in detail. How to avoid these flaws? This article also displays the solution for the SanDisk SSD Dashboard users.
Flaws in SanDisk SSD Dashboard
The SanDisk SSD Dashboard used for managing SanDisk SSD (you can also use MiniTool Software to manage your SSD) has two security vulnerabilities in it that increase data loss risks. In an advisory, Western Digital confirmed the issues.
Why do these vulnerabilities cause increase data loss risks?
One of the flaws in SanDisk’s SSD Dashboard gives attackers a way to install malware disguised as legitimate updates on system running the software.
According to a blog post by Trustwave, this flaw (CVE-2019-13467) can be ascribed to the fact that the SanDisk SSD dashboard uses HTTP instead of HTTPS for updates and other resource downloads. This makes it trivial for attackers to target users running the application.
Note:
HTTP:HyperText Transfer Protocol is the underlying protocol used by the World Wide Web. This protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.
HTTPS: The letter “S” stands for “Secure”. It is the secure versions of the standard “HyperText Transfer Protocol” your browser uses when communicating with websites.
A typical attack would be a man-in-the-middle approach in which a rogue server could pretend to be an official SanDisk server offering a new update when what it is actually doing is serving up malware such as ransomware or a banking Trojan.
The other flaw that Trustwave discovered in the SanDisk SSD Dashboard is tied to the use of a hard-coded password for protecting the archived customer-generated system and diagnostic reports.
However, this password completely negates the benefit of encrypting the data when it is sent to SanDisk for examination.
Although the hard-coded password flaw is not quite as severe as the HTTP issues, an attacker can access an error report (often containing confidential information), and then decrypt it with the hard-coded password and gain access to that information.
Update to the Latest Versions of WD SanDisk SSD Dashboard
According to Karl Sigler, manager of threat intelligence at Trustwave, users using the SanDisk SSD Dashboard to manage their hardware may be at risk.
Currently, there is no evidence that anyone has employed the two flaws in SanDisk SSD Dashboard. But please note that exploiting either of these flaws would be extremely easy to pull off based on the nature of the vulnerabilities.
To avoid the losses caused by the SanDisk SSD Dashboard, Western Digital urged customers to install the latest versions of its SanDisk SSD Dashboard and Western Digital SSD Dashboard.
Here are two benefits to upgrade to the latest versions of WD SanDisk SSD Dashboard and WD SSD Dashboard.
- Installing the updates ensures that the Dashboard uses HTTPS for all resource downloads;
- The update dashboard application will also not encrypt and send system information report files back to SanDisk.
Therefore, it is highly recommended for SanDisk SSD Dashboard users to monitor their SSDs to upgrade their applications as soon as possible.