Vulnerability identifier: #VU15755

Vulnerability risk: Low

CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12037

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
850 EVO
Client/Desktop applications / Software for system administration
840 EVO
Client/Desktop applications / Software for system administration
T5
Client/Desktop applications / Software for system administration
T3
Client/Desktop applications / Software for system administration
MX300
Hardware solutions / Firmware
MX200
Hardware solutions / Firmware
MX100
Hardware solutions / Firmware

Vendor: Samsung
Crucial US

Description
The vulnerability allows a physical attacker to obtain potentially sensitive information on the target system.

The weakness exists due to the absence of a cryptographic link between the password provided by the end user and the cryptographic key used to encrypt user data. A physical attacker can access the key without knowing the password provided by the end user and decrypt information encrypted with that key.

Mitigation
Install updates for the vulnerable products from vendors' websites.

Vulnerable software versions

850 EVO: All versions

840 EVO: All versions

T5: All versions

T3: All versions

MX300: All versions

MX200: All versions

MX100: All versions

---

External links
http://www.kb.cert.org/vuls/id/395981/

---

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.