{"vuid":"VU#964064","idnumber":"964064","name":"ATA interface software may not properly handle ATA security features","keywords":["ATA","Security Set Password","locking","BIOS","SECURITY FREEZE LOCK","denial of service"],"overview":"ATA interface software, including multiple system board BIOS implementations do not adequately manage the ATA hard drive security mode. An attacker may be able to manipulate this situation to completely lock a hard drive resulting in an almost unrecoverable denial-of-service condition","clean_desc":"ATA compliant devices may include the ability to a 32 byte password to prevent data on a device from being disclosed to unauthorized parties. Once set, the password must be entered via the ATA interface software at boot time or the drive will lock itself. When a system is booted the ATA compliant drive should validate the password, if it has been set. Next, the ATA interface software should issue the SECURITY FREEZE LOCK command to prevent changes to the password until the system is rebooted. Please note that if the security features are supported by a ATA compliant drive, they are inactive until a password is set with the SECURITY SET PASSWORD command. Many different system components may have the ability to issue ATA commands, including the system board BIOS, add-in cards, operating system drivers, and software utilities. However, if a system does not properly handle the ATA security features, then it is likely that that system does not issue the SECURITY FREEZE LOCK command. If an attacker can gain the privileges needed to issue ATA commands on a system, and that system does not issue the SECURITY FREEZE LOCK command, that attacker may be able to arbitrarily set the password for that drive. Once the password is set, the next time the system is rebooted the system's  drive will remain in a locked state until the password is provided. A locked hard drive will ignore commands such as those used to read, write, or erase data. This results in a complete denial-of-service condition. We believe that vendors who have the ability to issue ATA commands should issue the SECURITY FREEZE LOCK command for every ATA connected device at the earliest possible moment. Given this, we have marked vendors that issue the SECURITY FREEZE LOCK command as not vulnerable.","impact":"If an attacker can change the ATA password on an ATA device, that attacker can completely lock the device, making all the data on the device inaccessible.","resolution":"Upgrade ATA Software\nInstall or upgrade BIOS, firmware, or ATA drivers that properly issue the SECURITY FREEZE LOCK command.","workarounds":"","sysaffected":"","thanks":"This issue was published in an article in \nc't\n. Thanks also to Seagate for expert advice.","author":"This document was written by Jeff Gennari.","public":["http://www.heise.de/artikel-archiv/ct/2005/08/172","http://www.heise.de/ct/english/05/08/172/","http://www.freerepublic.com/focus/f-chat/1376364/posts","http://lists.freebsd.org/pipermail/freebsd-hackers/2005-April/011318.html","http://forums.macnn.com/90/mac-os-x/257495/major-ata-security-risk-apple-computers/","http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ata/wd.c#rev1.43"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-05-19T16:13:32Z","publicdate":"2005-04-02T00:00:00Z","datefirstpublished":"2012-06-21T19:43:09Z","dateupdated":"2012-06-21T19:46:38Z","revision":72,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"4","cam_widelyknown":"10","cam_exploitation":"0","cam_internetinfrastructure":"20","cam_population":"20","cam_impact":"20","cam_easeofexploitation":"10","cam_attackeraccessrequired":"1","cam_scorecurrent":"2.25","cam_scorecurrentwidelyknown":"3","cam_scorecurrentwidelyknownexploited":"4.5","ipprotocol":"","cvss_accessvector":"L","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"N","cvss_integrityimpact":"N","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"TF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"H","cvss_securityrequirementsar":"ND","cvss_basescore":"4.7","cvss_basevector":"AV:L/AC:M/Au:N/C:N/I:N/A:C","cvss_temporalscore":"3.8","cvss_environmentalscore":"2.9","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:H/AR:ND","metric":2.25,"vulnote":null}