WDC Tracking Number: WDC-19009
Published: July 11, 2019
Last Updated: July 11, 2019
The Western Digital and SanDisk SSD Dashboard applications are potentially vulnerable to man-in-the-middle attacks when the applications download resources from the Dashboard web service. This vulnerability may allow an attacker to substitute downloaded resources with arbitrary files. Additionally, the “generate reports” archive is protected with a hard-coded password. An application update that addresses the protection of resource downloads and archive encryption is available.
The Western Digital and SanDisk SSD Dashboard applications rely on HTTP for resource downloads from Dashboard’s web service. Installing the updated application will ensure the application uses HTTPS for resource downloads.
CVE Number: CVE-2019-13467
The Western Digital and SanDisk SSD Dashboard applications provide a function to generate system information reports for diagnosing issues, which uses a hard-coded password to archive the report files. Given the use case for these reports, the updated application will no longer encrypt the system information report files, and customers requiring support should instead directly share such reports with our Customer Support teams only.
CVE Number: CVE-2019-13466