WD SAN Disk Secure Access Flaw Vulnerable to Password Attacks

Western Digital has released updates for its SanDisk SecureAccess software to fix multiple vulnerabilities that can be exploited to access user data by carrying out brute force and dictionary attacks.

The SanDisk Secure Access software, rebranded as SanDisk Private Access, allows storing and protecting critical and sensitive files on SanDisk USB flash drives. The access to user’s private vault is protected by a personal password, and all the files are automatically encrypted.

SanDisk SecureAccess version 3.02 was using a one-way cryptographic hash with a predictable salt, This means that the software is vulnerable to dictionary attacks. The software also uses a password hash with insufficient computational effort, as a consequence, an attacker can brute force user passwords leading to unauthorized access to user data.

The vulnerabilities, tracked as CVE-2021-36750 , were discovered by researcher Sylvain Pelissier. Western Digital addressed the issue with the release of SanDisk PrivateAccess version 6.3.5.

Earlier this year, WD warned customers that attacks targeting some of its older NAS devices involved the exploitation of a zero day vulnerability. Threat actors had targeted My Book Live and My Book Live Duo devices and reset them to factory settings.