CVE-2018-12037

low-risk

Published 2018-11-20

An issue was discovered on Samsung 840 EVO and 850 EVO devices (only in "ATA high" mode, not vulnerable in "TCG" or "ATA max" mode), Samsung T3 and T5 portable drives, and Crucial MX100, MX200 and MX300 devices. Absence of a cryptographic link between the password and the Disk Encryption Key allows attackers with privileged access to SSD firmware full access to encrypted data.

Do I need to act?

0.10% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.0/10 Medium

PHYSICAL / HIGH complexity

Affected Products (7)

840 Evo Firmware

850 Evo Firmware

T3 Firmware

T5 Firmware

Crucial Mx100 Firmware

Crucial Mx200 Firmware

Crucial Mx300 Firmware

Affected Vendors

Samsung Micron

References (6)

Third Party Advisory http://www.securityfocus.com/bid/105840

Patch https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028

Third Party Advisory https://security.netapp.com/advisory/ntap-20181112-0001/

Third Party Advisory http://www.securityfocus.com/bid/105840

Patch https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028

Third Party Advisory https://security.netapp.com/advisory/ntap-20181112-0001/

/ 100

low-risk

Severity 10/34 · Low

Exploitability 0/34 · Minimal

Exposure 14/34 · Moderate