Vulnerability Note VU#964064
ATA interface software may not properly handle ATA security features
Overview
ATA interface software, including multiple system board BIOS implementations do not adequately manage the ATA hard drive security mode. An attacker may be able to manipulate this situation to completely lock a hard drive resulting in an almost unrecoverable denial-of-service condition
Description
ATA compliant devices may include the ability to a 32 byte password to prevent data on a device from being disclosed to unauthorized parties. Once set, the password must be entered via the ATA interface software at boot time or the drive will lock itself. When a system is booted the ATA compliant drive should validate the password, if it has been set. Next, the ATA interface software should issue the SECURITY FREEZE LOCK command to prevent changes to the password until the system is rebooted. Please note that if the security features are supported by a ATA compliant drive, they are inactive until a password is set with the SECURITY SET PASSWORD command. Many different system components may have the ability to issue ATA commands, including the system board BIOS, add-in cards, operating system drivers, and software utilities. However, if a system does not properly handle the ATA security features, then it is likely that that system does not issue the SECURITY FREEZE LOCK command. If an attacker can gain the privileges needed to issue ATA commands on a system, and that system does not issue the SECURITY FREEZE LOCK command, that attacker may be able to arbitrarily set the password for that drive. Once the password is set, the next time the system is rebooted the system's drive will remain in a locked state until the password is provided. A locked hard drive will ignore commands such as those used to read, write, or erase data. This results in a complete denial-of-service condition. |
Impact
If an attacker can change the ATA password on an ATA device, that attacker can completely lock the device, making all the data on the device inaccessible. |
Solution
Upgrade ATA Software |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Check Point Software Technologies | Not Affected | 18 Aug 2005 | 25 Oct 2005 |
Hitachi | Not Affected | 18 Aug 2005 | 13 Oct 2005 |
NextHop Technologies, Inc. | Not Affected | 18 Aug 2005 | 18 Oct 2005 |
OpenBSD | Not Affected | 18 Aug 2005 | 21 Jun 2012 |
3com, Inc. | Unknown | 18 Aug 2005 | 18 Aug 2005 |
Alcatel | Unknown | 18 Aug 2005 | 18 Aug 2005 |
American Megatrends Incorporated (AMI) | Unknown | 18 Aug 2005 | 18 Aug 2005 |
AMI | Unknown | - | 08 Jun 2005 |
Apple Computer, Inc. | Unknown | 18 Aug 2005 | 18 Aug 2005 |
AT&T | Unknown | 18 Aug 2005 | 18 Aug 2005 |
Avaya, Inc. | Unknown | 18 Aug 2005 | 18 Aug 2005 |
Avici Systems, Inc. | Unknown | 18 Aug 2005 | 18 Aug 2005 |
Charlotte's Web Networks | Unknown | 18 Aug 2005 | 18 Aug 2005 |
Chiaro Networks, Inc. | Unknown | 18 Aug 2005 | 18 Aug 2005 |
Cisco Systems, Inc. | Unknown | 18 Aug 2005 | 18 Aug 2005 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 4.7 | AV:L/AC:M/Au:N/C:N/I:N/A:C |
Temporal | 3.8 | E:POC/RL:TF/RC:C |
Environmental | 2.9 | CDP:ND/TD:M/CR:ND/IR:H/AR:ND |
References
- http://www.heise.de/artikel-archiv/ct/2005/08/172
- http://www.heise.de/ct/english/05/08/172/
- http://www.freerepublic.com/focus/f-chat/1376364/posts
- http://lists.freebsd.org/pipermail/freebsd-hackers/2005-April/011318.html
- http://forums.macnn.com/90/mac-os-x/257495/major-ata-security-risk-apple-computers/
- http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ata/wd.c#rev1.43
Credit
This issue was published in an article in c't. Thanks also to Seagate for expert advice.
This document was written by Jeff Gennari.
Other Information
- CVE IDs: Unknown
- Date Public: 02 Apr 2005
- Date First Published: 21 Jun 2012
- Date Last Updated: 21 Jun 2012
- Severity Metric: 2.25
- Document Revision: 72
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.