![]() ![]() ![]() When checking for available updates, the program downloads an XML file over an unencrypted HTTP connection. More troubling is a potential man-in-the-middle (MitM) attack, designated as CVE-2019-13467, that can be exploited in the SSD Dashboard software. SanDisk's response to the vulnerability, designated as CVE-2019-13466, was to simply remove the encryption, and require customers to manually share reports with customer service. Those reports, however, are stored in encrypted ZIP files with the hardcoded password which is functionally useless. SEE: 10 things companies are keeping in their own data centers (free PDF) (TechRepublic) It also includes a function for generating reports to send to SanDisk's customer service agents for troubleshooting. ![]() SanDisk's SSD Dashboard is nominally meant for checking drive health and performance, running scheduling TRIM operations, and updating drive firmware. SanDisk (and Western Digital, as the owner of that brand) have landed themselves squarely in the detrimental end of that spectrum, as a pair of vulnerabilities discovered in the SanDisk SSD Dashboard by Martin Rakhmanov, security research manager at Trustwave SpiderLabs, underscores an abject lack of security precautions. Device and component vendors are fond of producing add-on software for device management and configuration, though the value of these utilities range from minimally useful to actively detrimental.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |