Vulnerability Note VU#964064

ATA interface software may not properly handle ATA security features

Original Release date: 21 Jun 2012 | Last revised: 21 Jun 2012

Overview

ATA interface software, including multiple system board BIOS implementations do not adequately manage the ATA hard drive security mode. An attacker may be able to manipulate this situation to completely lock a hard drive resulting in an almost unrecoverable denial-of-service condition

Description

ATA compliant devices may include the ability to a 32 byte password to prevent data on a device from being disclosed to unauthorized parties. Once set, the password must be entered via the ATA interface software at boot time or the drive will lock itself. When a system is booted the ATA compliant drive should validate the password, if it has been set. Next, the ATA interface software should issue the SECURITY FREEZE LOCK command to prevent changes to the password until the system is rebooted. Please note that if the security features are supported by a ATA compliant drive, they are inactive until a password is set with the SECURITY SET PASSWORD command. Many different system components may have the ability to issue ATA commands, including the system board BIOS, add-in cards, operating system drivers, and software utilities.

However, if a system does not properly handle the ATA security features, then it is likely that that system does not issue the SECURITY FREEZE LOCK command. If an attacker can gain the privileges needed to issue ATA commands on a system, and that system does not issue the SECURITY FREEZE LOCK command, that attacker may be able to arbitrarily set the password for that drive. Once the password is set, the next time the system is rebooted the system's drive will remain in a locked state until the password is provided. A locked hard drive will ignore commands such as those used to read, write, or erase data. This results in a complete denial-of-service condition.

We believe that vendors who have the ability to issue ATA commands should issue the SECURITY FREEZE LOCK command for every ATA connected device at the earliest possible moment. Given this, we have marked vendors that issue the SECURITY FREEZE LOCK command as not vulnerable.

Impact

If an attacker can change the ATA password on an ATA device, that attacker can completely lock the device, making all the data on the device inaccessible.

Solution

Upgrade ATA Software
Install or upgrade BIOS, firmware, or ATA drivers that properly issue the SECURITY FREEZE LOCK command.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Check Point Software TechnologiesNot Affected18 Aug 200525 Oct 2005
HitachiNot Affected18 Aug 200513 Oct 2005
NextHop Technologies, Inc.Not Affected18 Aug 200518 Oct 2005
OpenBSDNot Affected18 Aug 200521 Jun 2012
3com, Inc.Unknown18 Aug 200518 Aug 2005
AlcatelUnknown18 Aug 200518 Aug 2005
American Megatrends Incorporated (AMI)Unknown18 Aug 200518 Aug 2005
AMIUnknown-08 Jun 2005
Apple Computer, Inc.Unknown18 Aug 200518 Aug 2005
AT&TUnknown18 Aug 200518 Aug 2005
Avaya, Inc.Unknown18 Aug 200518 Aug 2005
Avici Systems, Inc.Unknown18 Aug 200518 Aug 2005
Charlotte's Web NetworksUnknown18 Aug 200518 Aug 2005
Chiaro Networks, Inc.Unknown18 Aug 200518 Aug 2005
Cisco Systems, Inc.Unknown18 Aug 200518 Aug 2005
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 4.7 AV:L/AC:M/Au:N/C:N/I:N/A:C
Temporal 3.8 E:POC/RL:TF/RC:C
Environmental 2.9 CDP:ND/TD:M/CR:ND/IR:H/AR:ND

References

Credit

This issue was published in an article in c't. Thanks also to Seagate for expert advice.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: Unknown
  • Date Public: 02 Apr 2005
  • Date First Published: 21 Jun 2012
  • Date Last Updated: 21 Jun 2012
  • Severity Metric: 2.25
  • Document Revision: 72

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.