WDC Tracking Number: WDC-21014
Published: December 8, 2021
Last Updated: December 8, 2021
SanDisk SecureAccess 3.02 was using a one-way cryptographic hash with a predictable salt making it vulnerable to dictionary attacks by a malicious user. The software also made use of a password hash with insufficient computational effort that would allow an attacker to brute force user passwords leading to unauthorized access to user data.
Both the key derivation function issues described above have been resolved in SanDisk PrivateAccess Version 6.3.5. SanDisk SecureAccess has been rebranded to SanDisk PrivateAccess.
We urge our customers to install this software update immediately to keep their vaults secure. As with any upgrade, it is best to back up your data before installing the upgrade. Back up your data using the built-in Backup function in the Tools menu.
For complete instructions on how to upgrade please see:
https://kb.sandisk.com/app/answers/detail/a_id/23775
The key derivation function issues have been addressed by using PBKDF2-SHA256 together with a randomly generated salt.
CVE Number: CVE-2021-36750
Western Digital would like to thank Sylvain Pelissier for reporting this issue.