CVE-2021-36750:ENC DataVault before 7.2 and VaultAPI v67 have improper key derivation implementation, allowing attackers to more easily determine user passwords across multiple branded USB drives.

splash
Back

Description Preview

ENC DataVault versions prior to 7.2 and VaultAPI versions prior to v67 contain a vulnerability in their password-based key derivation function implementation. This vulnerability (CWE-307: Improper Restriction of Excessive Authentication Attempts) makes it significantly easier for attackers to determine user passwords through brute force methods. The vulnerability affects USB drives sold under multiple brand names that utilize ENC Security's encryption software, including SanDisk SecureAccess. The flaw in the key derivation mechanism compromises the security of encrypted data stored on affected devices.

Overview

The vulnerability in ENC DataVault and VaultAPI affects the password-based key derivation function, which is a critical security component that converts user passwords into encryption keys. Due to improper implementation, the key derivation process is weakened, allowing attackers to perform more efficient brute force attacks against user passwords. This vulnerability impacts USB drives from various manufacturers that license ENC Security's encryption technology. When exploited, an attacker could potentially gain unauthorized access to encrypted data stored on these drives. The issue is particularly concerning because users rely on this encryption to protect sensitive data stored on portable USB drives.

Remediation

Users should immediately update their ENC DataVault software to version 7.2 or later and ensure VaultAPI is updated to v67 or later. Specific steps include:

  1. Check the current version of your ENC DataVault or branded equivalent software (such as SanDisk SecureAccess).
  2. Download and install the latest version from your device manufacturer's official website.
  3. For SanDisk users, visit the Western Digital support site to obtain the updated SecureAccess software.
  4. After updating, consider changing your encryption passwords as a precautionary measure.
  5. If using affected drives in enterprise environments, ensure all instances of the software are updated across the organization.

Organizations should also consider implementing additional security controls such as multi-factor authentication for accessing sensitive data and monitoring for unusual access patterns to encrypted storage.

References

  1. ENC Security Update Advisory: https://encsecurity.zendesk.com/hc/en-us/articles/4413283717265-Update-for-ENC-Software
  2. Western Digital Security Advisory: https://www.westerndigital.com/en-ap/support/product-security/wdc-21014-sandisk-secureaccess-software-update
  3. ENC Security Product Information: https://www.encsecurity.com/solutions.php
  4. Technical Analysis at RC3 2021: https://pretalx.c3voc.de/rc3-2021-r3s/talk/QMYGR3/
  5. CWE-307: Improper Restriction of Excessive Authentication Attempts: https://cwe.mitre.org/data/definitions/307.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database