back to article Samsung's 'Magician' for SSDs can let crims run evil code

The CERT Coordination Centre at Carnegie Mellon University has just popped two items onto storage admins to-do lists. Item one: Go get version 5.1 of Samsung Magician, stat. The application lets users manage the Korean company's solid state disk drives by doing things like updating firmware, performing secure erasure or …

  1. Hans 1
    Holmes

    Incredible, this ...uses HTTPS and does not verify certificate ... FFS ... you should probably also check which SSL/TLS versions are supported ... given the missing validation, it might use SSL3 or something worse ...

    1. 2460 Something

      Stupid is as stupid does

      It boggles my grey matter that companies of this size are still making silly security mistakes.

      1. Captain DaFt

        Re: Stupid is as stupid does

        "It boggles my grey matter that companies of this size are still making silly security mistakes."

        It's my observation that the bigger the company, the more they adhere to the mantra: "Do it cheap, deliver it yesterday, fix it someday." that tends to produce results like this.

        1. Ian Joyner Bronze badge

          Re: Stupid is as stupid does

          Captain DaFt: >>It's my observation that the bigger the company, the more they adhere to the mantra: "Do it cheap, deliver it yesterday, fix it someday." that tends to produce results like this.<<

          Mostly, I agree. This is why some of us here point out that Apple is different in not doing cheap, testing, and releasing when they are ready. OK, they might just be saying it, but from what us industry insiders observe, it is mostly the case. They don't rush products to market like Samsung and others. As discussed in another Register forum, Apple's testing of the new APFS before going live was amazing - despite the nonsense detractors were throwing up about it.

  2. Christopher Reeve's Horse

    Say 'Abracadabra'...

    ...and is this the arbitrary code you selected?

  3. Christian Berger

    I wonder how security would be...

    ... if we'd all just avoid the obvious problems. I mean updating firmware shouldn't be so common you need a GUI application for that. Then if you download something of the internet, you should at least use TLS certificate pinning, or sign the firmware itself. (however do not have mandatory firmware signing for local updates, as that would prevent people from patching the firmware themselves)

    1. Charles 9

      Re: I wonder how security would be...

      Perhaps because the problems DON'T usually look so obvious, especially during the coding phase and particularly with a deadline looming. Deadlines trump security since missing means you might as well not submit.

      1. Christian Berger

        Re: I wonder how security would be...

        Well, Samsung has 2 advantages with this:

        a) They develop their own chips, so they have a head start when it comes to working with them. They can already write and test the firmware for early prototypes or even for simulations of those chips.

        b) They market themselves as a premium company, so they would even have a bit more time for such things than the competition. Well tested Firmware would be a big advantage justifying the price premium.

  4. Anonymous Coward
    Anonymous Coward

    Bricked SSDs/WD/Seagate RMAs with firmware infections/mods? These companies must know.

    You wonder how many WD and Seagate hard drives , Sandisk/Samsung SSDs are returned as "bricked" but found to have been the result of a firmware infection/modified firmware, in order to destroy a Raid Array for instance.

    Maybe this should be a statutory disclosure. Storage Companies seem to avoid the flak Microsoft get in terms of security, but a drive's firmware is just as vunerable, just as much a hack target and if it succeeds, can do a lot more damage.

  5. Anonymous South African Coward Silver badge

    Baah, we don't have any magicians on our network... Wonder how many undisclosed vulns are there at Samsung and with Samsung products?

  6. Pharris1

    What's the fix?

    So, is the fix for the Samsung Magician security fault simply to update to version 5.1? Or was the fault found in 5.1?

  7. dunbankin
    Thumb Down

    It gets worse...

    Brilliant - installed the new version as recommended, and now it won't recognise my Samsung 850 Pro SSD system drive, even after a reboot. It recognises my ancient Samsung HDD, but states that it is "not supported".

    Sounds like Samsung need to release v5.2 pronto.

  8. Dan 55 Silver badge

    Magician, eh?

    It'd be magic if Samsung actually managed to get https working properly for one of their products.

    He also found that the programmers failed to use SSL encryption for secure connection when transmitting certain data. They use it on some data transmissions but not others, and usually not on ones that need it most.

    "They made a lot of wrong assumptions about where they needed encryption," he says, noting that "it's extra work to move between secure connections and unsecure connections." This indicates that they didn't do it inadvertently but were making conscious decisions not to use SSL in those places, he says.

    link

  9. Destroy All Monsters Silver badge

    "does not validate"

    Someone may have though that "Minimal Viable Product" means "compiles and can be shipped" as opposed to "solves core customer problems in a satisfactory way"

    1. Dan 55 Silver badge

      Re: "does not validate"

      You're raising the bar very high with "in a satisfactory way". It's Samsung, so it's just "can be shipped". Bixby will be compiled later... It might even understand English.

  10. Richard Lloyd

    Not much of a wizard for me

    I have an SM961 M.2 SSD, but on the rare occasion I boot into Windows 10 (I'm in Linux >95% of the time), the Samsung Magician software doesn't want to know about my SSD because it's an OEM variant - this is a ridiculous policy to have really and it prevents me for getting any firmware updates for the SSD :-( Needless to say, I quickly uninstalled the Magician software from my Windows setup and it's never coming back...

    1. Anonymous Coward
      Anonymous Coward

      Re: Not much of a wizard for me

      It's the Saruman version, not the Gandalf version.

    2. Pompous Git Silver badge
      Linux

      Re: Not much of a wizard for me

      When I boot into Win7 I see a dialog box asking if I want to update Samsung Magician. If I click OK the process never completes. I've never been arsed to manually update and of course it's irrelevant when booting Cinnamon Mint...

  11. Anonymous Coward
    Anonymous Coward

    Because this shouldn't worry anyone either...

    From Samsung Magician 5.1 Consumer Edition:

    <snip>

    3. CONSENT ON DATA USE AND TRANSFER

    You understand and agree that Samsung will collect, use and transfer internationally data relating to your device, including technical information about the systems and applications, application programs and devices associated with and connected to your device, in order to provide product support, engage in statistical research, upgrade our software and provide other related services. This data may be shared with other Samsung affiliates worldwide and our service providers for these purposes.

    </snip>

    YMMV with the Enterprise Edition

  12. GettinSadda

    VLC Explot Seems Live!

    VLC seems to have a similar hole, and it is being exploited.

    Note that I have not 100% verified this is not a false alarm.

    However, my copy of VLC Player 2.2.4 just offered to download the latest version and I got the following pop up from BitDefender:

    "The file {local\temp}\vlc-2.2.6-win32.exe is infected with Gen:Variant.razy.181333."

  13. Anonymous Coward
    Anonymous Coward

    Silent Uninstall

    64 bit: "C:\Program Files (x86)\Samsung\Samsung Magician\unins000.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES

    32 bit: "C:\Program Files\Samsung\Samsung Magician\unins000.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like