Description
An issue was discovered on Samsung 840 EVO and 850 EVO devices (only in "ATA high" mode, not vulnerable in "TCG" or "ATA max" mode), Samsung T3 and T5 portable drives, and Crucial MX100, MX200 and MX300 devices. Absence of a cryptographic link between the password and the Disk Encryption Key allows attackers with privileged access to SSD firmware full access to encrypted data.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20181112-0001/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105840
Patch, Third Party Advisory, Vendor Advisory x_refsource_misc
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028
Scores
CVSS v3
4.0
EPSS
0.0009
EPSS Percentile
26.1%
Attack Vector
PHYSICAL
CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
Status
published
Products (7)
micron/crucial_mx100_firmware
micron/crucial_mx200_firmware
micron/crucial_mx300_firmware
samsung/840_evo_firmware
samsung/850_evo_firmware
samsung/t3_firmware
samsung/t5_firmware
Published
Nov 20, 2018
Tracked Since
Feb 18, 2026