Western Digital announced an update to its SanDisk SecureAccess/PrivateAccess product, hoping to address a vulnerability that would allow its users’ data to be accessed through brute force and dictionary attacks. This is a tool that allows users to encrypt files and folders in a protected location on SanDisk USB drives.
The problems were identified by researcher Sylvain Pelissier, who discovered that SanDisk SecureAccess is affected by two bugs in its key derivation functions, which would allow a threat actor to crack a target user’s password.
According to the researcher, SanDisk SecureAccess 3.02 “uses a one-way cryptographic hash with a predictable jump, making it vulnerable to dictionary attacks.” Pelissier also claims that the software uses insufficient hashing, which would allow threat actors to use brute-force attacks to guess users’ passwords.
Tracked as CVE-2021-36750, this issue was fixed with the release of SanDisk PrivateAccess version 6.3.5, so administrators of affected deployments are encouraged to correct as soon as possible. In its security alert, the company notes that the issues of the key derivation feature have been addressed by using PBKDF2-SHA256 along with a randomly generated salt.
Western Digital has faced various problems over the past few months; in early 2021, the company asked its customers to install an emergency update due to the detection of multiple attacks against network-attached storage (NAS) devices, which would have allowed access to sensitive information.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.