Monthly Archives: November 2018

Vulnerabilities in self-encrypting SSDs let cyber criminals bypass BitLocker Full Disk Encryption. Don’t Panic!

25 November 2018

Full disk encryption (FDE) applications like BitLocker represent the final bastion in protection against theft and loss of laptops.

No wonder that post “Flaws in Popular SSD Drives Bypass Hardware Disk Encryption”[1], published by Lawrence Abrams on 11/5/2018 at Bleeping Computer, irritated the security community largely.

I scanned the announcement from Radboud University[2] and the preliminary version of the research paper and found no need to enter panic mode.

Hard Drive Lock by Hello Many from the Noun Project

Hard Drive Lock by Hello Many from the Noun Project

What happened. Researchers from Radboud University in The Netherlands found two critical security weaknesses, CVE-2018-12037 and CVE-2018-12038, in the encryption of some SSDs allowing access to the data without knowledge of any secret. Windows 8/10 BitLocker is able to make use of the hardware encryption capabilities to speed up the encryption process. Thus, BitLocker is compromised.

During normal operating conditions it is hardly possible to exploit these vulnerabilities because a cyber criminal must remove the SSD from the computer and connect a hardware debugger to reach the secrets.

Thus we face an increased risk if the device is left unattended, e.g. evil maid attack[3], lost or stolen. Or, if the device was lost some time ago and kept unchanged for whatever reasons.

Actually, you should have procedures in place to deal with stolen or lost devices. These must be updated now:

  • Users must change their passwords directly after the loss of a device is reported.
  • All certificates, soft and hard tokens used for securing remote access or access to sensitive data and services must be invalidated directly after a loss is reported.
  • The help desk must be notified of the loss and advised to report a security incident in the case of requests regarding the stolen device or the affected user accounts.

In any case, to keep the impact of a loss small the best advice for users is to store as little as possible sensitive data on portable devices.

For details on how to handle this issue please refer to the Microsoft security advisory ADV180028[4], published on 11/6/2018.

The big question is: Who takes care of the self encrypting external usb disks with keypad based on the buggy SSDs?

Have a great week.


  1. Abrams L. Flaws in Popular SSD Drives Bypass Hardware Disk Encryption [Internet]. BleepingComputer. 2018 [cited 2018 Nov 17]. Available from: https://www.bleepingcomputer.com/news/security/flaws-in-popular-ssd-drives-bypass-hardware-disk-encryption/
  2. Radboud University. Radboud University researchers discover security flaws in widely used data storage devices [Internet]. Radboud University. 2018 [cited 2018 Nov 17]. Available from: https://www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/
  3. Rouse M. What is evil maid attack? – Definition from WhatIs.com [Internet]. SearchSecurity. 2018 [cited 2018 Nov 25]. Available from: https://searchsecurity.techtarget.com/definition/evil-maid-attack
  4. MSRC M. ADV180028 | Guidance for configuring BitLocker to enforce software encryption [Internet]. Security TechCenter. 2018 [cited 2018 Nov 17]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028
Advertisements

About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy?

4 November 2018

Some days ago Cisco published a vulnerability CVE-2018-15454[1][2] in software running on their security products Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). Cisco discovered the flaw while investigating a support case, in other words, the attackers used a zero-day exploit.

How frequent are zero-days? This question is not easy to answer because it takes some time until malicious activity is detected. However, we can compare the date an exploit is published in the Exploit Database[3] with the date the vulnerability is published in the NVD.

Figure 1. Exploit publication date relative to CVE publication date.

Figure 1. Exploit publication date relative to CVE publication date. Data: 2013 – 2017

Between 2013 and 2017 about 60% of the exploits were published before the CVE. With this, about 60% of the exploits are candidates for zero-day exploits.

Figure 2. Exploit publication date relative to CVE publication date details.

Figure 2. Exploit publication date relative to CVE publication date details. Data: 2013 – 2017

Figure 2 shows the details within 30 days prior and after the CVE was published.

This is no reason to panic. In general, this means that we should directly start the remediation process once an exploit is published. Do not waste time!

In addition, since remediation takes some time, it makes sense to invest in means enhancing the resilience of application systems. Expect the worst and be prepared.

Find out more in the following posts.

Have a great week.


  1. MITRE. NVD – CVE-2018-15454 [Internet]. 2018 [cited 2018 Nov 3]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-15454
  2. Cisco Security. Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability [Internet]. Cisco Security Advisory. 2018 [cited 2018 Nov 3]. Available from: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
  3. Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/