Western Digital has fixed a security vulnerability that enabled attackers to brute force SanDisk SecureAccess passwords and access the users’ protected files.
SanDisk SecureAccess (now rebranded to SanDisk PrivateAccess) allows storing and protecting sensitive files on SanDisk USB flash drives.
“SanDisk SecureAccess 3.02 was using a one-way cryptographic hash with a predictable salt making it vulnerable to dictionary attacks by a malicious user,” Western Digital explained in a security advisory issued Wednesday.
“The software also made use of a password hash with insufficient computational effort that would allow an attacker to brute force user passwords leading to unauthorized access to user data.”
The flaw (CVE-2021-36750) stemming from the key derivation function issues presented above has been addressed with the release of SanDisk PrivateAccess Version 6.3.5, which now uses PBKDF2-SHA256 together with a randomly generated salt.