SanDisk's SSD Dashboard uses hardcoded password, lacks encrypted updates

Lackadaisical security practices in proprietary management software from a hardware vendor underscore the need for a vendor-agnostic solution.

Flash storage: What you need to know With over a dozen form factors, selecting the best flash memory card and SSD technology for your devices can be daunting. Karen Roby and James Sanders discuss the available options.

Device and component vendors are fond of producing add-on software for device management and configuration, though the value of these utilities range from minimally useful to actively detrimental. SanDisk (and Western Digital, as the owner of that brand) have landed themselves squarely in the detrimental end of that spectrum, as a pair of vulnerabilities discovered in the SanDisk SSD Dashboard by Martin Rakhmanov, security research manager at Trustwave SpiderLabs, underscores an abject lack of security precautions.

SanDisk's SSD Dashboard is nominally meant for checking drive health and performance, running scheduling TRIM operations, and updating drive firmware. It also includes a function for generating reports to send to SanDisk's customer service agents for troubleshooting.

SEE: 10 things companies are keeping in their own data centers (free PDF) (TechRepublic)

Those reports, however, are stored in encrypted ZIP files with the hardcoded password "S@nD!sk.1," which is functionally useless.  

SanDisk's response to the vulnerability, designated as CVE-2019-13466, was to simply remove the encryption, and require customers to manually share reports with customer service.

More troubling is a potential man-in-the-middle (MitM) attack, designated as CVE-2019-13467, that can be exploited in the SSD Dashboard software. When checking for available updates, the program downloads an XML file over an unencrypted HTTP connection. It would be trivial for attackers to change the URL of the download package in the XML file, which is automatically downloaded and installed if the version specified in the file is greater than the version of the currently installed Dashboard.

Users of Western Digital or SanDisk SSD Dashboard should manually download a patched version of the software.

The case against vendor-specific helper software

Clearly, Western Digital's forte is storage, and while these vulnerabilities should not discourage buyers from considering WD or SanDisk products, the proliferation of proprietary vendor software to manage hardware functions should be curtailed. Granted, SSD Advisor is optional, though poor security practices in such programs, and performance hits from memory-resident programs running in the background, still arguably outweigh potential benefits, even with the power provided by modern processors and vast amounts of RAM found in modern computers.

Nothing fundamentally unique can be found in the SanDisk SSD Advisor. While the utility of SMART drive data is still an open question, SMART is itself a vendor-agnostic industry standard.

Likewise, the functions provided by SSD Advisor should be left to the host operating system. The Linux Vendor Firmware Service (LVFS) can be used to deliver firmware updates for Linux users; likewise, Windows Update could be used to similar ends for the optional update of drive firmware. 

Also see

istock-905574028ai.jpg

PhonlamaiPhoto, Getty Images/iStockphoto