{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-28382", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2022-10-09T00:00:00", "dateReserved": "2022-04-03T00:00:00", "datePublished": "2022-06-08T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-10-09T00:00:00"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in certain Verbatim drives through 2022-03-31. Due to the use of an insecure encryption AES mode (Electronic Codebook, aka ECB), an attacker may be able to extract information even from encrypted data, for example by observing repeating byte patterns. The firmware of the USB-to-SATA bridge controller INIC-3637EN uses AES-256 with the ECB mode. This operation mode of block ciphers (e.g., AES) always encrypts identical plaintext data, in this case blocks of 16 bytes, to identical ciphertext data. For some data, for instance bitmap images, the lack of the cryptographic property called diffusion, within ECB, can leak sensitive information even in encrypted data. Thus, the use of the ECB operation mode can put the confidentiality of specific information at risk, even in an encrypted form. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428, Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0, Executive Fingerprint Secure SSD GDMSFE01-INI3637-C VER1.1, and Fingerprint Secure Portable Hard Drive Part Number #53650."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-002.txt"}, {"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-006.txt"}, {"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-010.txt"}, {"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-015.txt"}, {"name": "20220610 [SYSS-2022-006]: Verbatim Store 'n' Go Secure Portable HDD - Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) (CVE-2022-28382)", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/Jun/18"}, {"name": "20220610 [SYSS-2022-010]: Verbatim Executive Fingerprint Secure SSD - Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) (CVE-2022-28382)", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/Jun/22"}, {"name": "20220610 [SYSS-2022-002]: Verbatim Keypad Secure USB 3.2 Gen 1 Drive - Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) (CVE-2022-28382)", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/Jun/9"}, {"name": "20220610 [SYSS-2022-015]: Verbatim Fingerprint Secure Portable Hard Drive - Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) (CVE-2022-28382)", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/Jun/24"}, {"url": "http://packetstormsecurity.com/files/167491/Verbatim-Keypad-Secure-USB-3.2-Gen-1-Drive-ECB-Issue.html"}, {"url": "http://packetstormsecurity.com/files/167500/Verbatim-Store-N-Go-Secure-Portable-HDD-GD25LK01-3637-C-VER4.0-Risky-Crypto.html"}, {"url": "http://packetstormsecurity.com/files/167532/Verbatim-Fingerprint-Secure-Portable-Hard-Drive-53650-Risky-Crypto.html"}, {"url": "http://packetstormsecurity.com/files/167528/Verbatim-Executive-Fingerprint-Secure-SSD-GDMSFE01-INI3637-C-VER1.1-Risky-Crypto.html"}, {"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-044.txt"}, {"name": "20221008 [SYSS-2022-044]: Verbatim Store 'n' Go Secure Portable SSD - Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) (CVE-2022-28382)", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/Oct/4"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:verbatim:keypad_secure_usb_3.2_gen_1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "858C45A8-1BE3-4A2B-8184-D0B208513ACB", "versionEndIncluding": "2022-03-31", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:verbatim:keypad_secure_usb_3.2_gen_1:-:*:*:*:*:*:*:*", "matchCriteriaId": "CE1F7994-9CF8-45C5-8C57-A2CE56B8730B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:verbatim:store_\\'n\\'_go_secure_portable_hdd_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "034F8132-9D3B-474F-B6F0-E85FEEB34E5B", "versionEndIncluding": "2022-03-31", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:verbatim:store_\\'n\\'_go_secure_portable_hdd:-:*:*:*:*:*:*:*", "matchCriteriaId": "59F87C0C-64CC-4E58-9391-8EE9014DCF63", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:verbatim:executive_fingerprint_secure_ssd_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1108BAFB-599A-475E-AEDA-7ED51D2ADBFE", "versionEndIncluding": "2022-03-31", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:verbatim:executive_fingerprint_secure_ssd:-:*:*:*:*:*:*:*", "matchCriteriaId": "A6874052-44CE-47F6-A9EC-7FB99369DF33", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:verbatim:fingerprint_secure_portable_hard_drive_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E701FD30-CDD2-47C3-B2DD-B50DAF3B4AD6", "versionEndIncluding": "2022-03-31", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:verbatim:fingerprint_secure_portable_hard_drive:-:*:*:*:*:*:*:*", "matchCriteriaId": "2B7424FA-57F4-4328-8B7C-D8B9A8902EEF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in certain Verbatim drives through 2022-03-31. Due to the use of an insecure encryption AES mode (Electronic Codebook, aka ECB), an attacker may be able to extract information even from encrypted data, for example by observing repeating byte patterns. The firmware of the USB-to-SATA bridge controller INIC-3637EN uses AES-256 with the ECB mode. This operation mode of block ciphers (e.g., AES) always encrypts identical plaintext data, in this case blocks of 16 bytes, to identical ciphertext data. For some data, for instance bitmap images, the lack of the cryptographic property called diffusion, within ECB, can leak sensitive information even in encrypted data. Thus, the use of the ECB operation mode can put the confidentiality of specific information at risk, even in an encrypted form. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428, Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0, Executive Fingerprint Secure SSD GDMSFE01-INI3637-C VER1.1, and Fingerprint Secure Portable Hard Drive Part Number #53650."}, {"lang": "es", "value": "Se ha detectado un problema en determinadas unidades de Verbatim hasta el 31-03-2022. Debido al uso de un modo de encriptaci\u00f3n AES no seguro (Electronic Codebook, tambi\u00e9n se conoce como ECB), un atacante puede ser capaz de extraer informaci\u00f3n incluso de datos encriptados, por ejemplo, al observar patrones de bytes repetidos. El firmware del controlador de puente USB a SATA INIC-3637EN usa AES-256 con el modo ECB. Este modo de funcionamiento de los cifradores de bloques (por ejemplo, AES) siempre cifra datos de texto plano id\u00e9nticos, en este caso bloques de 16 bytes, en datos de texto cifrado id\u00e9nticos. Para algunos datos, por ejemplo las im\u00e1genes de mapa de bits, la falta de la propiedad criptogr\u00e1fica llamada difusi\u00f3n, dentro del ECB, puede filtrar informaci\u00f3n confidencial incluso en los datos cifrados. Por lo tanto, el uso del modo de funcionamiento ECB puede poner en riesgo la confidencialidad de informaci\u00f3n espec\u00edfica, incluso de forma encriptada. Esto afecta a la unidad Keypad Secure USB versi\u00f3n 3.2 Gen 1, n\u00famero de pieza 49428, al disco duro port\u00e1til Store \"n\" Go Secure GD25LK01-3637-C VER4.0, a la unidad SSD Executive Fingerprint Secure GDMSFE01-INI3637-C VER1.1 y al disco duro port\u00e1til Fingerprint Secure, n\u00famero de pieza 53650"}], "id": "CVE-2022-28382", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-08T16:15:07.957", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/167491/Verbatim-Keypad-Secure-USB-3.2-Gen-1-Drive-ECB-Issue.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/167500/Verbatim-Store-N-Go-Secure-Portable-HDD-GD25LK01-3637-C-VER4.0-Risky-Crypto.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/167528/Verbatim-Executive-Fingerprint-Secure-SSD-GDMSFE01-INI3637-C-VER1.1-Risky-Crypto.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/167532/Verbatim-Fingerprint-Secure-Portable-Hard-Drive-53650-Risky-Crypto.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Jun/18"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Jun/22"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Jun/24"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Jun/9"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Oct/4"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-002.txt"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-006.txt"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-010.txt"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-015.txt"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-044.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}