Western Digital has released updates for its SanDisk SecureAccess software to fix multiple vulnerabilities that can be exploited to access user data by carrying out brute force and dictionary attacks.
The SanDisk SecureAccess software, now rebranded SanDisk PrivateAccess, allows storing and protecting critical and sensitive files on SanDisk USB flash drives.
The access to user’s private vault is protected by a personal password, and all the files are automatically encrypted.
According to the vendor, SanDisk SecureAccess version 3.02 was using a one-way cryptographic hash with a predictable salt, This means that the software is vulnerable to dictionary attacks. The software also uses a password hash with insufficient computational effort, as a consequence, an attacker can brute force user passwords leading to unauthorized access to user data.
“SanDisk SecureAccess 3.02 was using a one-way cryptographic hash with a predictable salt making it vulnerable to dictionary attacks by a malicious user. The software also made use of a password hash with insufficient computational effort that would allow an attacker to brute force user passwords leading to unauthorized access to user data.” reads the advisory published by SanDisk.
“Both the key derivation function issues described above have been resolved in SanDisk PrivateAccess Version 6.3.5. SanDisk SecureAccess has been rebranded to SanDisk PrivateAccess.”
The vulnerabilities, tracked as CVE-2021-36750, were discovered by researcher Sylvain Pelissier. Western Digital addressed the issue with the release of SanDisk PrivateAccess version 6.3.5.
“The key derivation function issues have been addressed by using PBKDF2-SHA256 together with a randomly generated salt,” continues the advisory.
(SecurityAffairs – hacking, Western Digital)