Details of VAR-201906-1091

ID

VAR-201906-1091

CVE

CVE-2019-10636

TITLE

Self-encrypting hard drives do not adequately protect data

Trust: 0.8

sources: CERT/CC: VU#395981

DESCRIPTION

There are multiple vulnerabilities in implementations of ATA Security or TCG Opal Standards in Self-Encrypting Disks (SEDs), which can allow an attacker to decrypt contents of an encrypted drive. Marvell SSD Controller Contains vulnerabilities related to security features.Information may be tampered with. Marvell SSD Controller 88SS1074 is a solid-state hard drive controller from Marvell. This vulnerability is due to the lack of security measures such as authentication, access control, and rights management in network systems or products

Trust: 1.53

sources: CERT/CC: VU#395981 // JVNDB: JVNDB-2019-005130 // VULHUB: VHN-142202

AFFECTED PRODUCTS

vendor:	marvell	model:	88ss1080	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1087	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1085	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1100	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1092	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss9188	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss9174	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss9175	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1074	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss9189	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1098	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1095	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1088	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1093	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1090	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1079	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss1084	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss9187	scope:	eq	version:	-	Trust: 1.0
vendor:	marvell	model:	88ss9190	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	micron	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	microsoft	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	samsung semiconductor	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	sandisk	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	western digital	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	marvell	model:	88ss1074	scope:	-	version:	-	Trust: 0.8
vendor:	marvell	model:	88ss1079	scope:	-	version:	-	Trust: 0.8
vendor:	marvell	model:	88ss1080	scope:	-	version:	-	Trust: 0.8
vendor:	marvell	model:	88ss1092	scope:	-	version:	-	Trust: 0.8
vendor:	marvell	model:	88ss1093	scope:	-	version:	-	Trust: 0.8
vendor:	marvell	model:	88ss1095	scope:	-	version:	-	Trust: 0.8
vendor:	marvell	model:	88ss9174	scope:	-	version:	-	Trust: 0.8
vendor:	marvell	model:	88ss9175	scope:	-	version:	-	Trust: 0.8
vendor:	marvell	model:	88ss9187	scope:	-	version:	-	Trust: 0.8
vendor:	marvell	model:	88ss9188	scope:	-	version:	-	Trust: 0.8

sources: CERT/CC: VU#395981 // JVNDB: JVNDB-2019-005130 // NVD: CVE-2019-10636

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-10636
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-10636
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201906-064
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-142202
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-10636
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:N/I:C/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-142202
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:N/I:C/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-10636
baseSeverity:	MEDIUM
baseScore:	4.6
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-142202 // JVNDB: JVNDB-2019-005130 // CNNVD: CNNVD-201906-064 // NVD: CVE-2019-10636

PROBLEMTYPE DATA

problemtype:	CWE-400	Trust: 1.1
problemtype:	CWE-254	Trust: 0.9

sources: VULHUB: VHN-142202 // JVNDB: JVNDB-2019-005130 // NVD: CVE-2019-10636

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201906-064

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005130

PATCH

title:

Security Advisory

url:

https://www.marvell.com/documents/x9g4hrszt5ls3udbe1eo/

Trust: 0.8

sources: JVNDB: JVNDB-2019-005130

EXTERNAL IDS

db:	NVD	id:	CVE-2019-10636	Trust: 2.5
db:	LENOVO	id:	LEN-25256	Trust: 1.4
db:	CERT/CC	id:	VU#395981	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-005130	Trust: 0.8
db:	CNNVD	id:	CNNVD-201906-064	Trust: 0.7
db:	VULHUB	id:	VHN-142202	Trust: 0.1

sources: CERT/CC: VU#395981 // VULHUB: VHN-142202 // JVNDB: JVNDB-2019-005130 // CNNVD: CNNVD-201906-064 // NVD: CVE-2019-10636

REFERENCES

url:	https://www.westerndigital.com/support/productsecurity/wdc-19006-sandisk-x600-sata-ssd	Trust: 2.4
url:	https://support.lenovo.com/us/en/product_security/len-25256	Trust: 2.2
url:	https://www.marvell.com/documents/x9g4hrszt5ls3udbe1eo/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10636	Trust: 1.4
url:	https://www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/	Trust: 0.8
url:	https://www.ru.nl/publish/pages/909282/draft-paper.pdf	Trust: 0.8
url:	https://www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/beveiligingsadviezen/ncsc-2018-0984+1.00+meerdere+kwetsbaarheden+ontdekt+in+implementaties+self-encrypting+drives.html	Trust: 0.8
url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180028	Trust: 0.8
url:	https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj679890(v=ws.11)#configure-use-of-hardware-based-encryption-for-fixed-data-drives	Trust: 0.8
url:	https://www.samsung.com/semiconductor/minisite/ssd/support/consumer-notice/	Trust: 0.8
url:	https://www.crucial.com/usa/en/support-ssd-firmware/	Trust: 0.8
url:	https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdefxd	Trust: 0.8
url:	https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdeosd	Trust: 0.8
url:	https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hderdd	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10636	Trust: 0.8

sources: CERT/CC: VU#395981 // VULHUB: VHN-142202 // JVNDB: JVNDB-2019-005130 // CNNVD: CNNVD-201906-064 // NVD: CVE-2019-10636

SOURCES

db:	CERT/CC	id:	VU#395981
db:	VULHUB	id:	VHN-142202
db:	JVNDB	id:	JVNDB-2019-005130
db:	CNNVD	id:	CNNVD-201906-064
db:	NVD	id:	CVE-2019-10636

LAST UPDATE DATE

2024-11-23T22:17:16.503000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#395981	date:	2019-11-14T00:00:00
db:	VULHUB	id:	VHN-142202	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-005130	date:	2019-06-17T00:00:00
db:	CNNVD	id:	CNNVD-201906-064	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2019-10636	date:	2024-11-21T04:19:38.300

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#395981	date:	2018-11-06T00:00:00
db:	VULHUB	id:	VHN-142202	date:	2019-06-04T00:00:00
db:	JVNDB	id:	JVNDB-2019-005130	date:	2019-06-17T00:00:00
db:	CNNVD	id:	CNNVD-201906-064	date:	2019-06-04T00:00:00
db:	NVD	id:	CVE-2019-10636	date:	2019-06-04T21:29:00.733