Thursday, September 12th 2024

Crucial MX500 SSD Firmware M3CR046 Vulnerable to Buffer Overflow Attacks

One of the most popular SATA SSD brands, the Crucial MX500, has a vulnerability in its firmware version M3CR046. Apparently, specific ATA packets issued from the host can trigger a buffer overflow in the drive, cause data leaks. The vulnerability has been chronicled as CVE-2024-42642. At this point we're not sure if older versions of firmware for the MX500 are affected. M3CR046 happens to be the latest firmware version we could see in the Crucial Storage Executive app, which means the company is still working on a firmware update.
Source: Bombastik (TechPowerUp Forums)
Add your own comment

22 Comments on Crucial MX500 SSD Firmware M3CR046 Vulnerable to Buffer Overflow Attacks

#2
Chaitanya
Are crucial mx500 the only ones affected or are other brands also affected?
Posted on Reply
#3
Pepamami
A Computer GuyI have a 2TB MX500 in my Linux box. I guess Linux users will need to use the bootable ISO method.
Ye, fwupd prob would not have anything.
But I think u can attach that iso to ur bootloader (like grub) with no problems.
Posted on Reply
#4
Bwaze
ChaitanyaAre crucial mx500 the only ones affected or are other brands also affected?
I don't know if Silicon Motion SM2259H is even used in any other brand or model of SSD.
Posted on Reply
#6
Assimilator
What a nothingburger... the only way you can send the specially crafted ATA commands that can trigger this firmware bug, is if you already control the system containing that drive. At which point you can just send a FORMAT command instead.

God I hate these so-called "security" researchers that spend their time coming up with the most contrived nonsensical scenarios just so they can get their 15 seconds of fame.
Posted on Reply
#7
Konomi
AssimilatorWhat a nothingburger... the only way you can send the specially crafted ATA commands that can trigger this firmware bug, is if you already control the system containing that drive. At which point you can just send a FORMAT command instead.

God I hate these so-called "security" researchers that spend their time coming up with the most contrived nonsensical scenarios just so they can get their 15 seconds of fame.
While not beneficial to most people (and certainly not newsworthy), you can at least say someone cared enough to fix it, which in turn means someone actually bothered to go over potentially old code instead of leaving it to break other things.
Posted on Reply
#8
_roman_
proof of concept Source code and instructions how to compile for ubuntu. Should apply to any linux kernel based distro.
github.com/VL4DR/CVE-2024-42642/tree/main

source www.cve.org/CVERecord?id=CVE-2024-42642
Those guys used a wrong webpage -> correct one: www.crucial.com

Homepages for MY Curcial P5 Plus or Curcial BX300 claim no firmware updates. Maybe this could be a way around for updates. www.crucial.com/support/storage-executive

Benefits of Storage Executive

  • Enable the Momentum Cache feature and make many SSD operations up to 10x faster
  • Download the latest firmware
  • See how much storage you’ve used
  • Monitor your SSD’s operating temperature and overall health
  • Reset your SSD’s encryption password
  • Verify your SSD’s model number for warranty claims
  • Clear all data stored on the drive
Compatibility and language support
OS COMPATIBILITYMicrosoft® Windows® 7, Windows 8, Windows 10, Windows 11
DRIVE COMPATIBILITYCrucial X10 Pro, X9 Pro, X9, X8, X6, P-series, T-series, T500, MX-series, BX-series, M550, and M500 SSDs
LANGUAGE AVAILABILITYEnglish, French, German, Spanish, Italian, Russian, Japanese, Korean, Simplified Chinese, Traditional Chinese
Posted on Reply
#9
lol1kVR
Greetings folks, I'm the researcher that reported this CVE, so let's clarify a few things for those who don't quite understand what's going on or those who are somewhat worried about this.

-As someone in the comments mentioned, to trigger any of the bugs reported under this CVE, one must have root access to the PC communicating with the controller. It is by itself certainly not a trivial thing, but all sorts of methods exist to achieve that. Since the attack vector is local and elevated privileges are required for this, it's no surprise that this CVE is rated 6.7 (medium) at NVD, which means it's certainly not that critical.
-The first two bugs are in essence DoS attacks, which are not particularly a big deal, however the effect is different than simply formatting the drive or corrupting it; This kind of DoS does not (as far as I can tell) corrupt anything on the drive, but does cause the drive to crash, effectively making it absolutely unresponsive (to any ATA command) until the next power cycle. Is this sort of effect interesting to attackers? Maybe. Maybe not, but I believe it's still worth reporting.
-The last bug is a controlled buffer overflow. What this means, is that, with possibly some more research, code execution could be achieved on the SSD controller. Now this is much more interesting, because attackers residing within the controller are not subject to all sorts of mitigations applied on modern host operating systems.
-SM2259 is shared among multiple SSD vendors, and thus it's absolutely possible that any of these bugs might apply to them, too. Although, keep in mind that vendors might make code modifications to the firmware, which means that these specific bugs might not be applicable to them, but similar ones might be found within the same vulnerable mechanism.

If you have any further questions, you are welcome to ask. Sometimes media outlets misinterpret things, which can cause confusion, so I'm more than willing to clarify whatever is needed.
Posted on Reply
#10
phanbuey
lol1kVRGreetings folks, I'm the researcher that reported this CVE, so let's clarify a few things for those who don't quite understand what's going on or those who are somewhat worried about this.

-As someone in the comments mentioned, to trigger any of the bugs reported under this CVE, one must have root access to the PC communicating with the controller. It is by itself certainly not a trivial thing, but all sorts of methods exist to achieve that. Since the attack vector is local and elevated privileges are required for this, it's no surprise that this CVE is rated 6.7 (medium) at NVD, which means it's certainly not that critical.
-The first two bugs are in essence DoS attacks, which are not particularly a big deal, however the effect is different than simply formatting the drive or corrupting it; This kind of DoS does not (as far as I can tell) corrupt anything on the drive, but does cause the drive to crash, effectively making it absolutely unresponsive (to any ATA command) until the next power cycle. Is this sort of effect interesting to attackers? Maybe. Maybe not, but I believe it's still worth reporting.
-The last bug is a controlled buffer overflow. What this means, is that, with possibly some more research, code execution could be achieved on the SSD controller. Now this is much more interesting, because attackers residing within the controller are not subject to all sorts of mitigations applied on modern host operating systems.
-SM2259 is shared among multiple SSD vendors, and thus it's absolutely possible that any of these bugs might apply to them, too. Although, keep in mind that vendors might make code modifications to the firmware, which means that these specific bugs might not be applicable to them, but similar ones might be found within the same vulnerable mechanism.

If you have any further questions, you are welcome to ask. Sometimes media outlets misinterpret things, which can cause confusion, so I'm more than willing to clarify whatever is needed.
If you were running a VM on this SSD, could this attack be carried out through a hypervisor? - or does the attacker need direct access to the controller?
Posted on Reply
#11
Assimilator
lol1kVRGreetings folks, I'm the researcher that reported this CVE, so let's clarify a few things for those who don't quite understand what's going on or those who are somewhat worried about this.

-As someone in the comments mentioned, to trigger any of the bugs reported under this CVE, one must have root access to the PC communicating with the controller. It is by itself certainly not a trivial thing, but all sorts of methods exist to achieve that. Since the attack vector is local and elevated privileges are required for this, it's no surprise that this CVE is rated 6.7 (medium) at NVD, which means it's certainly not that critical.
-The first two bugs are in essence DoS attacks, which are not particularly a big deal, however the effect is different than simply formatting the drive or corrupting it; This kind of DoS does not (as far as I can tell) corrupt anything on the drive, but does cause the drive to crash, effectively making it absolutely unresponsive (to any ATA command) until the next power cycle. Is this sort of effect interesting to attackers? Maybe. Maybe not, but I believe it's still worth reporting.
-The last bug is a controlled buffer overflow. What this means, is that, with possibly some more research, code execution could be achieved on the SSD controller. Now this is much more interesting, because attackers residing within the controller are not subject to all sorts of mitigations applied on modern host operating systems.
-SM2259 is shared among multiple SSD vendors, and thus it's absolutely possible that any of these bugs might apply to them, too. Although, keep in mind that vendors might make code modifications to the firmware, which means that these specific bugs might not be applicable to them, but similar ones might be found within the same vulnerable mechanism.

If you have any further questions, you are welcome to ask. Sometimes media outlets misinterpret things, which can cause confusion, so I'm more than willing to clarify whatever is needed.
Now see, this is much more useful than sensationalist press articles that obscure the pertinent details behind fearmongering. Thanks for being transparent, and sorry for any harsh words from myself- I just get very annoyed at seeing CVEs reported as if they're the next Y2K, and upon investigation they're absolutely not.
Posted on Reply
#12
Mazer
Are older firmwares affected by this too?
Posted on Reply
#13
lol1kVR
phanbueyIf you were running a VM on this SSD, could this attack be carried out through a hypervisor? - or does the attacker need direct access to the controller?
That's an interesting question. I don't know for sure, but I guess that it would depend on the actual implementation of the hypervisor (whether it emulates FW update requests to the controller or not). I did a quick test on VirtualBox, and seems like it doesn't support the ATA commands needed to trigger the vulnerability at all (there's probably a bunch of ATA commands that aren't supported when running from a VM). So I'd conclude that an attacker would most likely have to send the specially-crafted commands from the host OS.

Now, about older versions - seems like older versions of M3CR04X FW are no longer available for download, so I can't check them. I did take a quick look at M3CR033 FW, and similar issues *seem* to be present there (however, I currently don't have a drive to test it on).
Posted on Reply
#14
Dr. Dro
AssimilatorNow see, this is much more useful than sensationalist press articles that obscure the pertinent details behind fearmongering. Thanks for being transparent, and sorry for any harsh words from myself- I just get very annoyed at seeing CVEs reported as if they're the next Y2K, and upon investigation they're absolutely not.
Sensible and technical data do not attract clicks, after all.
Posted on Reply
#15
chrcoluk
lol1kVRThat's an interesting question. I don't know for sure, but I guess that it would depend on the actual implementation of the hypervisor (whether it emulates FW update requests to the controller or not). I did a quick test on VirtualBox, and seems like it doesn't support the ATA commands needed to trigger the vulnerability at all (there's probably a bunch of ATA commands that aren't supported when running from a VM). So I'd conclude that an attacker would most likely have to send the specially-crafted commands from the host OS.

Now, about older versions - seems like older versions of M3CR04X FW are no longer available for download, so I can't check them. I did take a quick look at M3CR033 FW, and similar issues *seem* to be present there (however, I currently don't have a drive to test it on).
If I remember right there is multiple hardware revisions of the drive each with their own firmware, so the problem here is that if all the models are affected, only the latest model gets the newest firmware, as I think you tested the one for the latest model, hopefully crucial will check and also provide updates for the other revisions as well (if needed).
Posted on Reply
#16
trparky
lol1kVRI did a quick test on VirtualBox, and seems like it doesn't support the ATA commands needed to trigger the vulnerability at all (there's probably a bunch of ATA commands that aren't supported when running from a VM).
Well yeah, that's because VirtualBox is a Type 2 hypervisor. I imagine using a Type 1 hypervisor aka a bare-metal hypervisor would probably work.
Posted on Reply
#17
dirtyferret
AssimilatorGod I hate these so-called "security" researchers that spend their time coming up with the most contrived nonsensical scenarios just so they can get their 15 seconds of fame.
I found a security bug that impacts all Nvidia GPUs, if your Nvidia GPU is left unattended on a subway for several hours it can become vulnerable to "subway tech pirates". Nvidia is yet to acknowledge this security flaw.
Posted on Reply
#18
lol1kVR
chrcolukIf I remember right there is multiple hardware revisions of the drive each with their own firmware, so the problem here is that if all the models are affected, only the latest model gets the newest firmware, as I think you tested the one for the latest model, hopefully crucial will check and also provide updates for the other revisions as well (if needed).
I hope so too. I had tried contacting them multiple times over the course of 3 months before reporting this to MITRE, and I've heard nothing from them to this day. Hopefully now that it's published, they'll consider fixing it.
trparkyWell yeah, that's because VirtualBox is a Type 2 hypervisor. I imagine using a Type 1 hypervisor aka a bare-metal hypervisor would probably work.
Ah right, type 2 hypervisors are usually the first thing that pops in my head when I read "VM".
I agree with you about type 1 though, I'd be pretty surprised if people couldn't, for example, update their drive's FW with HyperV enabled. Thanks for the clarification.
Posted on Reply
#19
R-T-B
AssimilatorWhat a nothingburger... the only way you can send the specially crafted ATA commands that can trigger this firmware bug, is if you already control the system containing that drive. At which point you can just send a FORMAT command instead.

God I hate these so-called "security" researchers that spend their time coming up with the most contrived nonsensical scenarios just so they can get their 15 seconds of fame.
I hate the media outlets that sensationalize them for no reason.

The actual research is helpful.
Posted on Reply
#20
Minus Infinity
Never updated the fw on my MX500, and never even checked. Always weary of doing fw on ssd.
Posted on Reply
#21
trparky
Minus InfinityNever updated the fw on my MX500, and never even checked. Always weary of doing fw on ssd.
Easy, I've done it several times. Though I did make sure that I had a full disk image before I did the update. Just in case.
Posted on Reply
#22
Boombastik
I don't see anything new. Did company respond to this?
Posted on Reply
Add your own comment
Dec 11th, 2024 18:51 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts