#VU15755 Information disclosure in Crucial US products - CVE-2018-12037
Published: November 7, 2018
Vulnerability identifier: #VU15755
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-12037
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
850 EVO
840 EVO
T5
T3
MX300
MX200
MX100
850 EVO
840 EVO
T5
T3
MX300
MX200
MX100
Software vendor:
Samsung
Crucial US
Samsung
Crucial US
Description
The vulnerability allows a physical attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the absence of a cryptographic link between the password provided by the end user and the cryptographic key used to encrypt user data. A physical attacker can access the key without knowing the password provided by the end user and decrypt information encrypted with that key.
The weakness exists due to the absence of a cryptographic link between the password provided by the end user and the cryptographic key used to encrypt user data. A physical attacker can access the key without knowing the password provided by the end user and decrypt information encrypted with that key.
Remediation
Install updates for the vulnerable products from vendors' websites.