Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2022-28382

Disclosure Date: June 08, 2022
CVE-2022-28382 CVSS v3 Base Score: 7.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered in certain Verbatim drives through 2022-03-31. Due to the use of an insecure encryption AES mode (Electronic Codebook, aka ECB), an attacker may be able to extract information even from encrypted data, for example by observing repeating byte patterns. The firmware of the USB-to-SATA bridge controller INIC-3637EN uses AES-256 with the ECB mode. This operation mode of block ciphers (e.g., AES) always encrypts identical plaintext data, in this case blocks of 16 bytes, to identical ciphertext data. For some data, for instance bitmap images, the lack of the cryptographic property called diffusion, within ECB, can leak sensitive information even in encrypted data. Thus, the use of the ECB operation mode can put the confidentiality of specific information at risk, even in an encrypted form. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428, Store ‘n’ Go Secure Portable HDD GD25LK01-3637-C VER4.0, Executive Fingerprint Secure SSD GDMSFE01-INI3637-C VER1.1, and Fingerprint Secure Portable Hard Drive Part Number #53650.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • verbatim

Products

  • executive fingerprint secure ssd firmware,
  • fingerprint secure portable hard drive firmware,
  • keypad secure usb 3.2 gen 1 firmware,
  • store 'n' go secure portable hdd firmware

References

Canonical
CVE-2022-28382 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28382)
Advisory
20220610 [SYSS-2022-006]: Verbatim Store 'n' Go Secure Portable HDD - Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) (CVE-2022-28382) (http://seclists.org/fulldisclosure/2022/Jun/18)
20220610 [SYSS-2022-010]: Verbatim Executive Fingerprint Secure SSD - Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) (CVE-2022-28382) (http://seclists.org/fulldisclosure/2022/Jun/22)
20220610 [SYSS-2022-002]: Verbatim Keypad Secure USB 3.2 Gen 1 Drive - Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) (CVE-2022-28382) (http://seclists.org/fulldisclosure/2022/Jun/9)
20220610 [SYSS-2022-015]: Verbatim Fingerprint Secure Portable Hard Drive - Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) (CVE-2022-28382) (http://seclists.org/fulldisclosure/2022/Jun/24)
20221008 [SYSS-2022-044]: Verbatim Store 'n' Go Secure Portable SSD - Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) (CVE-2022-28382) (http://seclists.org/fulldisclosure/2022/Oct/4)
Miscellaneous
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-002.txt
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-006.txt
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-010.txt
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-015.txt
http://packetstormsecurity.com/files/167491/Verbatim-Keypad-Secure-USB-3.2-Gen-1-Drive-ECB-Issue.html
http://packetstormsecurity.com/files/167500/Verbatim-Store-N-Go-Secure-Portable-HDD-GD25LK01-3637-C-VER4.0-Risky-Crypto.html
http://packetstormsecurity.com/files/167532/Verbatim-Fingerprint-Secure-Portable-Hard-Drive-53650-Risky-Crypto.html
http://packetstormsecurity.com/files/167528/Verbatim-Executive-Fingerprint-Secure-SSD-GDMSFE01-INI3637-C-VER1.1-Risky-Crypto.html
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-044.txt

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis