CVE-2019-10706

MEDIUM

Westerndigital Sandisk X600 Sd9tb8w-1... - Insufficiently Protected Credentials

Title source: rule

Description

Western Digital SanDisk SanDisk X300, X300s, X400, and X600 devices: The firmware update authentication method relies on a symmetric HMAC digest. The key used to validate this digest is present in a protected area of the device, and if extracted could be used to install arbitrary firmware to other devices.

References (3)

[Product] https://support.wdc.com/cat_products.aspx?ID=6&lang=en

[Vendor Advisory] https://www.westerndigital.com/support/productsecurity/wdc-19006-sandisk-x600-sata-ssd

[Vendor Advisory] https://www.westerndigital.com/support/productsecurity/wdc-19007-sandisk-x300-x400-sata-ssd

Scores

CVSS v3 6.3

EPSS 0.0012

EPSS Percentile 30.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Classification

CWE

CWE-522

Status published

Affected Products (50)

westerndigital/sandisk_x600_sd9tb8w-128g_firmware < x6112100

westerndigital/sandisk_x600_sd9tb8w-256g_firmware < x6112100

westerndigital/sandisk_x600_sd9tb8w-512g_firmware < x6112100

westerndigital/sandisk_x600_sd9tb8w-1t00_firmware < x6112100

westerndigital/sandisk_x600_sd9tb8w-2t00_firmware < x6112100

westerndigital/sandisk_x600_sd9tn8w-128g_firmware < x6112100

westerndigital/sandisk_x600_sd9tn8w-256g_firmware < x6112100

westerndigital/sandisk_x600_sd9tn8w-512g_firmware < x6112100

westerndigital/sandisk_x600_sd9tn8w-1t00_firmware < x6112100

westerndigital/sandisk_x600_sd9tn8w-2t00_firmware < x6112100

westerndigital/sandisk_x600_sd9sb8w-128g_firmware < x6112100

westerndigital/sandisk_x600_sd9sb8w-256g_firmware < x6112100

westerndigital/sandisk_x600_sd9sb8w-512g_firmware < x6112100

westerndigital/sandisk_x600_sd9sb8w-1t00_firmware < x6112100

westerndigital/sandisk_x600_sd9sb8w-2t00_firmware < x6112100

... and 35 more

Timeline

Published Mar 10, 2020

Tracked Since Feb 18, 2026