Vulnerability Details : CVE-2018-12037
An issue was discovered on Samsung 840 EVO and 850 EVO devices (only in "ATA high" mode, not vulnerable in "TCG" or "ATA max" mode), Samsung T3 and T5 portable drives, and Crucial MX100, MX200 and MX300 devices. Absence of a cryptographic link between the password and the Disk Encryption Key allows attackers with privileged access to SSD firmware full access to encrypted data.
Products affected by CVE-2018-12037
- cpe:2.3:o:samsung:840_evo_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:samsung:850_evo_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:samsung:t3_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:samsung:t5_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:micron:crucial_mx100_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:micron:crucial_mx200_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:micron:crucial_mx300_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-12037
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-12037
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
NIST | |
|
4.0
|
MEDIUM | CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
0.4
|
3.6
|
NIST |
References for CVE-2018-12037
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028
ADV180028 | Guidance for configuring BitLocker to enforce software encryptionPatch;Third Party Advisory;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20181112-0001/
Self-Encrypting Solid State Drive Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://www.securityfocus.com/bid/105840
Self-Encrypting Drives CVE-2018-12037 Local Security Bypass VulnerabilityThird Party Advisory;VDB Entry
Jump to