search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ATA interface software may not properly handle ATA security features

Vulnerability Note VU#964064

Original Release Date: 2012-06-21 | Last Revised: 2012-06-21

Overview

ATA interface software, including multiple system board BIOS implementations do not adequately manage the ATA hard drive security mode. An attacker may be able to manipulate this situation to completely lock a hard drive resulting in an almost unrecoverable denial-of-service condition

Description

ATA compliant devices may include the ability to a 32 byte password to prevent data on a device from being disclosed to unauthorized parties. Once set, the password must be entered via the ATA interface software at boot time or the drive will lock itself. When a system is booted the ATA compliant drive should validate the password, if it has been set. Next, the ATA interface software should issue the SECURITY FREEZE LOCK command to prevent changes to the password until the system is rebooted. Please note that if the security features are supported by a ATA compliant drive, they are inactive until a password is set with the SECURITY SET PASSWORD command. Many different system components may have the ability to issue ATA commands, including the system board BIOS, add-in cards, operating system drivers, and software utilities.

However, if a system does not properly handle the ATA security features, then it is likely that that system does not issue the SECURITY FREEZE LOCK command. If an attacker can gain the privileges needed to issue ATA commands on a system, and that system does not issue the SECURITY FREEZE LOCK command, that attacker may be able to arbitrarily set the password for that drive. Once the password is set, the next time the system is rebooted the system's drive will remain in a locked state until the password is provided. A locked hard drive will ignore commands such as those used to read, write, or erase data. This results in a complete denial-of-service condition.

We believe that vendors who have the ability to issue ATA commands should issue the SECURITY FREEZE LOCK command for every ATA connected device at the earliest possible moment. Given this, we have marked vendors that issue the SECURITY FREEZE LOCK command as not vulnerable.

Impact

If an attacker can change the ATA password on an ATA device, that attacker can completely lock the device, making all the data on the device inaccessible.

Solution

Upgrade ATA Software
Install or upgrade BIOS, firmware, or ATA drivers that properly issue the SECURITY FREEZE LOCK command.

Vendor Information

964064
 

Check Point Software Technologies Not Affected

Notified:  August 18, 2005 Updated: October 25, 2005

Statement Date:   October 25, 2005

Status

Not Affected

Vendor Statement

Check Point products are not affected by this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Not Affected

Notified:  August 18, 2005 Updated: October 13, 2005

Statement Date:   October 13, 2005

Status

Not Affected

Vendor Statement

Hitachi notebook PCs and desktop PCs are not affected to this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NextHop Technologies, Inc. Not Affected

Notified:  August 18, 2005 Updated: October 18, 2005

Statement Date:   October 18, 2005

Status

Not Affected

Vendor Statement

As NextHop does neither ship, nor manages, ATA devices, our code is not susceptible to this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Not Affected

Notified:  August 18, 2005 Updated: June 21, 2012

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

3com, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AMI Unknown

Updated:  June 08, 2005

Statement Date:   June 08, 2005

Status

Unknown

Vendor Statement

AMI has a patch for this vunerability available to customers, which is integrated into our next core update for AMIBIOS8. Future products will continue to be tested against this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

American Megatrends Incorporated (AMI) Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Computer, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avaya, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avici Systems, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Charlotte's Web Networks Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Chiaro Networks, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cisco Systems, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc. Unknown

Notified:  October 24, 2005 Updated: October 24, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

D-Link Systems, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Data Connection, Ltd. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian Linux Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC, Inc. (formerly Data General Corporation) Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Extreme Networks Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified:  October 07, 2005 Updated: October 07, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Force10 Networks, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Foundry Networks, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified:  October 07, 2005 Updated: October 07, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hyperchip Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lucent Technologies Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Luminous Networks Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Updated:  September 22, 2005

Statement Date:   May 24, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Motorola, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Multinet (owned Process Software Corporation) Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Multitech, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Network Appliance, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Phoenix Technologies Ltd. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Redback Networks, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ricoh Corporation Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Riverstone Networks, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Seagate Technology LLC Unknown

Notified:  August 11, 2005 Updated: August 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sequent Computer Systems, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified:  October 07, 2005 Updated: October 07, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group Unknown

Notified:  October 24, 2005 Updated: October 24, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group (SCO Linux) Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group (SCO Unix) Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Trustix Secure Linux Unknown

Notified:  October 07, 2005 Updated: October 07, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

UNISYS Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified:  October 07, 2005 Updated: October 07, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ZyXEL Unknown

Notified:  August 18, 2005 Updated: August 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 76 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 4.7 AV:L/AC:M/Au:N/C:N/I:N/A:C
Temporal 3.8 E:POC/RL:TF/RC:C
Environmental 2.9 CDP:ND/TD:M/CR:ND/IR:H/AR:ND

References

Acknowledgements

This issue was published in an article in c't. Thanks also to Seagate for expert advice.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 2.25
Date Public: 2005-04-02
Date First Published: 2012-06-21
Date Last Updated: 2012-06-21 19:46 UTC
Document Revision: 72

Sponsored by CISA.