Critical vulnerability in SanDisk Secure Access: Patch immediately

Western Digital announced an update to its SanDisk SecureAccess/PrivateAccess product, hoping to address a vulnerability that would allow its users’ data to be accessed through brute force and dictionary attacks. This is a tool that allows users to encrypt files and folders in a protected location on SanDisk USB drives.

The problems were identified by researcher Sylvain Pelissier, who discovered that SanDisk SecureAccess is affected by two bugs in its key derivation functions, which would allow a threat actor to crack a target user’s password.

According to the researcher, SanDisk SecureAccess 3.02 “uses a one-way cryptographic hash with a predictable jump, making it vulnerable to dictionary attacks.” Pelissier also claims that the software uses insufficient hashing, which would allow threat actors to use brute-force attacks to guess users’ passwords.

Tracked as CVE-2021-36750, this issue was fixed with the release of SanDisk PrivateAccess version 6.3.5, so administrators of affected deployments are encouraged to correct as soon as possible. In its security alert, the company notes that the issues of the key derivation feature have been addressed by using PBKDF2-SHA256 along with a randomly generated salt.

Western Digital has faced various problems over the past few months; in early 2021, the company asked its customers to install an emergency update due to the detection of multiple attacks against network-attached storage (NAS) devices, which would have allowed access to sensitive information.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.