Samsung's 'Magician' for SSDs can let crims run evil code
What is this: Storage insecurity day? Asking cos Acronis has the same problem
The CERT Coordination Centre at Carnegie Mellon University has just popped two items onto storage admins to-do lists.
Item one: Go get version 5.1 of Samsung Magician, stat. The application lets users manage the Korean company's solid state disk drives by doing things like updating firmware, performing secure erasure or perusing SMART data. The software is offered for Samsung's consumer and enterprise drives, but “checks for and retrieves updates over HTTP” and then “uses HTTPS to perform update operations, however it does not validate SSL certificates.”
The CERT says that act of omission means “An attacker on the same network as, or who can otherwise affect network traffic from, a Samsung Magician user can cause the Magician update process to execute arbitrary code with system administrator privileges.”
The fix? Cast whatever spells are required to install Magician 5.1, available here here.
Item two: find Settings dialog for Acronis True Image, because the CERT says “versions through and including 2017 Build 8053 performs update operations over unprotected HTTP channels.” Downloaded updates are therefore “not validated beyond verifying the server-provided MD5 hash.”
The impact? “An attacker on the same network as, or who can otherwise affect network traffic from, an Acronis True Image user can cause the True Image update process to execute arbitrary code with system administrator privileges.”
The CERT recommends turning off True Image's auto-update features and manually downloading updates with your browser. Hence our exhortation to find that Settings dialog. ®