CVE-2019-10706

Severity CVSS v4.0:
Pending analysis
Type:
CWE-522 Insufficiently Protected Credentials
Publication date:
10/03/2020
Last modified:
13/03/2020

Description

Western Digital SanDisk SanDisk X300, X300s, X400, and X600 devices: The firmware update authentication method relies on a symmetric HMAC digest. The key used to validate this digest is present in a protected area of the device, and if extracted could be used to install arbitrary firmware to other devices.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:westerndigital:sandisk_x600_sd9tb8w-128g_firmware:*:*:*:*:*:*:*:* x6112100 (excluding)
cpe:2.3:h:westerndigital:sandisk_x600_sd9tb8w-128g:-:*:*:*:*:*:*:*
cpe:2.3:o:westerndigital:sandisk_x600_sd9tb8w-256g_firmware:*:*:*:*:*:*:*:* x6112100 (excluding)
cpe:2.3:h:westerndigital:sandisk_x600_sd9tb8w-256g:-:*:*:*:*:*:*:*
cpe:2.3:o:westerndigital:sandisk_x600_sd9tb8w-512g_firmware:*:*:*:*:*:*:*:* x6112100 (excluding)
cpe:2.3:h:westerndigital:sandisk_x600_sd9tb8w-512g:-:*:*:*:*:*:*:*
cpe:2.3:o:westerndigital:sandisk_x600_sd9tb8w-1t00_firmware:*:*:*:*:*:*:*:* x6112100 (excluding)
cpe:2.3:h:westerndigital:sandisk_x600_sd9tb8w-1t00:-:*:*:*:*:*:*:*
cpe:2.3:o:westerndigital:sandisk_x600_sd9tb8w-2t00_firmware:*:*:*:*:*:*:*:* x6112100 (excluding)
cpe:2.3:h:westerndigital:sandisk_x600_sd9tb8w-2t00:-:*:*:*:*:*:*:*
cpe:2.3:o:westerndigital:sandisk_x600_sd9tn8w-128g_firmware:*:*:*:*:*:*:*:* x6112100 (excluding)
cpe:2.3:h:westerndigital:sandisk_x600_sd9tn8w-128g:-:*:*:*:*:*:*:*
cpe:2.3:o:westerndigital:sandisk_x600_sd9tn8w-256g_firmware:*:*:*:*:*:*:*:* x6112100 (excluding)
cpe:2.3:h:westerndigital:sandisk_x600_sd9tn8w-256g:-:*:*:*:*:*:*:*
cpe:2.3:o:westerndigital:sandisk_x600_sd9tn8w-512g_firmware:*:*:*:*:*:*:*:* x6112100 (excluding)