An issue was discovered on Samsung 840 EVO and 850 EVO devices (only in "ATA high" mode, not vulnerable in "TCG" or "ATA max" mode), Samsung T3 and T5 portable drives, and Crucial MX100, MX200 and MX300 devices. Absence of a cryptographic link between the password and the Disk Encryption Key allows attackers with privileged access to SSD firmware full access to encrypted data.

No CVSS v3.1

Attack Vector Physical

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N
Vendors Products
Samsung
  • T3
  • 840 Evo
  • T3 Firmware
  • T5 Firmware
  • 840 Evo Firmware
  • 850 Evo Firmware
  • T5
  • 850 Evo
Micron
  • Crucial Mx100 Firmware
  • Crucial Mx300
  • Crucial Mx200 Firmware
  • Crucial Mx100
  • Crucial Mx200
  • Crucial Mx300 Firmware

Configuration 1 [-]

AND
cpe:2.3:o:samsung:840_evo_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:samsung:840_evo:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:o:samsung:850_evo_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:samsung:850_evo:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:o:samsung:t3_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:samsung:t3:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:o:samsung:t5_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:samsung:t5:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:micron:crucial_mx100_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:micron:crucial_mx100:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
cpe:2.3:o:micron:crucial_mx200_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:micron:crucial_mx200:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:micron:crucial_mx300_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:micron:crucial_mx300:-:*:*:*:*:*:*:*
References
Link Resource
http://www.securityfocus.com/bid/105840 Third Party Advisory VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028 Patch Third Party Advisory Vendor Advisory
https://security.netapp.com/advisory/ntap-20181112-0001/ Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-11-20T19:00:00

Updated: 2018-11-21T10:57:01

Reserved: 2018-06-07T00:00:00

Link: CVE-2018-12037

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2018-11-20T19:29:00.247

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-12037

JSON object: View

cve-icon Redhat Information

No data.

CWE