search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ATA interface software may not properly handle ATA security features

Vulnerability Note VU#964064

Original Release Date: 2012-06-21 | Last Revised: 2012-06-21

Overview

ATA interface software, including multiple system board BIOS implementations do not adequately manage the ATA hard drive security mode. An attacker may be able to manipulate this situation to completely lock a hard drive resulting in an almost unrecoverable denial-of-service condition

Description

ATA compliant devices may include the ability to a 32 byte password to prevent data on a device from being disclosed to unauthorized parties. Once set, the password must be entered via the ATA interface software at boot time or the drive will lock itself. When a system is booted the ATA compliant drive should validate the password, if it has been set. Next, the ATA interface software should issue the SECURITY FREEZE LOCK command to prevent changes to the password until the system is rebooted. Please note that if the security features are supported by a ATA compliant drive, they are inactive until a password is set with the SECURITY SET PASSWORD command. Many different system components may have the ability to issue ATA commands, including the system board BIOS, add-in cards, operating system drivers, and software utilities.

However, if a system does not properly handle the ATA security features, then it is likely that that system does not issue the SECURITY FREEZE LOCK command. If an attacker can gain the privileges needed to issue ATA commands on a system, and that system does not issue the SECURITY FREEZE LOCK command, that attacker may be able to arbitrarily set the password for that drive. Once the password is set, the next time the system is rebooted the system's drive will remain in a locked state until the password is provided. A locked hard drive will ignore commands such as those used to read, write, or erase data. This results in a complete denial-of-service condition.

We believe that vendors who have the ability to issue ATA commands should issue the SECURITY FREEZE LOCK command for every ATA connected device at the earliest possible moment. Given this, we have marked vendors that issue the SECURITY FREEZE LOCK command as not vulnerable.

Impact

If an attacker can change the ATA password on an ATA device, that attacker can completely lock the device, making all the data on the device inaccessible.

Solution

Upgrade ATA Software
Install or upgrade BIOS, firmware, or ATA drivers that properly issue the SECURITY FREEZE LOCK command.

Vendor Information

964064
 
Affected   Unknown   Unaffected

Check Point Software Technologies

Notified:  August 18, 2005 Updated:  October 25, 2005

Statement Date:   October 25, 2005

Status

  Not Vulnerable

Vendor Statement

Check Point products are not affected by this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi

Notified:  August 18, 2005 Updated:  October 13, 2005

Statement Date:   October 13, 2005

Status

  Not Vulnerable

Vendor Statement

Hitachi notebook PCs and desktop PCs are not affected to this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NextHop Technologies, Inc.

Notified:  August 18, 2005 Updated:  October 18, 2005

Statement Date:   October 18, 2005

Status

  Not Vulnerable

Vendor Statement

As NextHop does neither ship, nor manages, ATA devices, our code is not susceptible to this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD

Notified:  August 18, 2005 Updated:  June 21, 2012

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ata/wd.c#rev1.43

3com, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AMI

Updated:  June 08, 2005

Statement Date:   June 08, 2005

Status

  Unknown

Vendor Statement

AMI has a patch for this vunerability available to customers, which is integrated into our next core update for AMIBIOS8. Future products will continue to be tested against this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

American Megatrends Incorporated (AMI)

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Computer, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avaya, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avici Systems, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Charlotte's Web Networks

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Chiaro Networks, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cisco Systems, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc.

Notified:  October 24, 2005 Updated:  October 24, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

D-Link Systems, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Data Connection, Ltd.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian Linux

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC, Inc. (formerly Data General Corporation)

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Extreme Networks

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  October 07, 2005 Updated:  October 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Force10 Networks, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Foundry Networks, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux

Notified:  October 07, 2005 Updated:  October 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hyperchip

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Immunix Communications, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lucent Technologies

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Luminous Networks

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation

Updated:  September 22, 2005

Statement Date:   May 24, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Motorola, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Multinet (owned Process Software Corporation)

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Multitech, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Network Appliance, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Phoenix Technologies Ltd.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX, Software Systems, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Redback Networks, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ricoh Corporation

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Riverstone Networks, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Seagate Technology LLC

Notified:  August 11, 2005 Updated:  August 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sequent Computer Systems, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc.

Notified:  October 07, 2005 Updated:  October 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group

Notified:  October 24, 2005 Updated:  October 24, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group (SCO Linux)

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group (SCO Unix)

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Trustix Secure Linux

Notified:  October 07, 2005 Updated:  October 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

UNISYS

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu

Notified:  October 07, 2005 Updated:  October 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ZyXEL

Notified:  August 18, 2005 Updated:  August 18, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 4.7 AV:L/AC:M/Au:N/C:N/I:N/A:C
Temporal 3.8 E:POC/RL:TF/RC:C
Environmental 2.9 CDP:ND/TD:M/CR:ND/IR:H/AR:ND

References

Credit

This issue was published in an article in c't . Thanks also to Seagate for expert advice.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 2.25
Date Public: 2005-04-02
Date First Published: 2012-06-21
Date Last Updated: 2012-06-21 19:46 UTC
Document Revision: 72

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.