CVE-2019-10706
Severity CVSS v4.0:
Pending analysis
Type:
CWE-522
Insufficiently Protected Credentials
Publication date:
10/03/2020
Last modified:
13/03/2020
Description
Western Digital SanDisk SanDisk X300, X300s, X400, and X600 devices: The firmware update authentication method relies on a symmetric HMAC digest. The key used to validate this digest is present in a protected area of the device, and if extracted could be used to install arbitrary firmware to other devices.
Impact
Base Score 3.x
6.30
Severity 3.x
MEDIUM
Base Score 2.0
6.30
Severity 2.0
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:westerndigital:sandisk_x600_sd9tb8w-128g_firmware:*:*:*:*:*:*:*:* | x6112100 (excluding) | |
cpe:2.3:h:westerndigital:sandisk_x600_sd9tb8w-128g:-:*:*:*:*:*:*:* | ||
cpe:2.3:o:westerndigital:sandisk_x600_sd9tb8w-256g_firmware:*:*:*:*:*:*:*:* | x6112100 (excluding) | |
cpe:2.3:h:westerndigital:sandisk_x600_sd9tb8w-256g:-:*:*:*:*:*:*:* | ||
cpe:2.3:o:westerndigital:sandisk_x600_sd9tb8w-512g_firmware:*:*:*:*:*:*:*:* | x6112100 (excluding) | |
cpe:2.3:h:westerndigital:sandisk_x600_sd9tb8w-512g:-:*:*:*:*:*:*:* | ||
cpe:2.3:o:westerndigital:sandisk_x600_sd9tb8w-1t00_firmware:*:*:*:*:*:*:*:* | x6112100 (excluding) | |
cpe:2.3:h:westerndigital:sandisk_x600_sd9tb8w-1t00:-:*:*:*:*:*:*:* | ||
cpe:2.3:o:westerndigital:sandisk_x600_sd9tb8w-2t00_firmware:*:*:*:*:*:*:*:* | x6112100 (excluding) | |
cpe:2.3:h:westerndigital:sandisk_x600_sd9tb8w-2t00:-:*:*:*:*:*:*:* | ||
cpe:2.3:o:westerndigital:sandisk_x600_sd9tn8w-128g_firmware:*:*:*:*:*:*:*:* | x6112100 (excluding) | |
cpe:2.3:h:westerndigital:sandisk_x600_sd9tn8w-128g:-:*:*:*:*:*:*:* | ||
cpe:2.3:o:westerndigital:sandisk_x600_sd9tn8w-256g_firmware:*:*:*:*:*:*:*:* | x6112100 (excluding) | |
cpe:2.3:h:westerndigital:sandisk_x600_sd9tn8w-256g:-:*:*:*:*:*:*:* | ||
cpe:2.3:o:westerndigital:sandisk_x600_sd9tn8w-512g_firmware:*:*:*:*:*:*:*:* | x6112100 (excluding) |
To consult the complete list of CPE names with products and versions, see this page