• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

mx500 ssd CVE-2024-42642 (Buffer Overflow)

B

Boombastik

Joined
Sep 11, 2013
Messages
125 (0.03/day)
System Specs
System Name Msi PC
Processor Ryzen 5 5600
Motherboard MSI b550 gaming gen 3
Cooling deepcool gammaxx 200t (deepcool z10 paste)
Memory 32(4x8) gb g.skill 3200 (qvl)
Video Card(s) MSI RTX 3060 8GB Ventus 2X OC
Storage Ssd Crucial mx500 500 gb
Display(s) Philips 222V8LA/00 dp 75 hz freesync
Case Q-Tech Hermes 1004 (4x12cm fans)
Audio Device(s) X-fi titanium pcie (Support Pack 8.0 (Refresh 3))
Power Supply Corsair cv 750w bronze
Mouse PATRIOT PV530OULK VIPER V530 (500hz)
Keyboard Gigabyte force k81
Software Windows 11
I found a site that says that, Micron Crucial MX500 Series Solid State Drives M3CR046 is vulnerable to Buffer Overflow, which can be triggered by sending specially crafted ATA packets from the host to the drive controller.


-https://www.cve.org/CVERecord?id=CVE-2024-42642
-https://github.com/VL4DR/CVE-2024-42642/tree/main
-https://nvd.nist.gov/vuln/detail/CVE-2024-42642

I write it here for discussion.
 
I wonder if this effects M3CR043 firmware? I have two of these drives one has 043 which is my game drive, the other one was the OS drive it does have M3CR046 firmware that I switched out since it was loosing health rather fast it's down to 94% since I bought it in February this year.
 
www.techpowerup.com

Crucial MX500 SSD Firmware M3CR046 Vulnerable to Buffer Overflow Attacks

One of the most popular SATA SSD brands, the Crucial MX500, has a vulnerability in its firmware version M3CR046. Apparently, specific ATA packets issued from the host can trigger a buffer overflow in the drive, cause data leaks. The vulnerability has been chronicled as CVE-2024-42642. At this...
www.techpowerup.com www.techpowerup.com
 
hkpolice2 said:
Didn't this drive have excessive write amplification issues?
Click to expand...

Yes on the earlier firmware and controller branch. Old thread on here somewhere for that.

What level of privilege do you need for this exploit?
 
I wouldn't lose any sleep over it. Someone has to know in advance which brand and type of SSD you have, and then get into your PC and SSD without you noticing. The chance of that is virtually nil. They will not so much target a home user.
Crucial will probably be working on an update. They use various components and controllers for the same cheap drive and so they have many different firmware versions around. No idea if older SSD's are vulnerable and if Crucial will update them too.

The M3CR042 to M3CR045 firmware versions was known to let the the computer just hang up because the drive did not respond anymore after a very long time power on. The M3CR046 firmware fixed that problem. In their own words;

M3CR046 is an optional update which repairs a hang condition occurring under corner-case workloads. Most Windows desktop and notebook users will be unaffected by this change.
 
Last edited:
I see a new firmware M3CR047 in crucial tool.
 
M3CR047 firmware just fixes this flaw, but nothing to let you sleep from this... As said attacker needs to know in advance what SSD type and brand you have, very unlikely to happen with home users... And also needs to crack your computer before he can do this.

 
SPDIF said:
I wouldn't lose any sleep over it. Someone has to know in advance which brand and type of SSD you have, and then get into your PC and SSD without you noticing. The chance of that is virtually nil. They will not so much target a home user.
Crucial will probably be working on an update. They use various components and controllers for the same cheap drive and so they have many different firmware versions around. No idea if older SSD's are vulnerable and if Crucial will update them too.

The M3CR042 to M3CR045 firmware versions was known to let the the computer just hang up because the drive did not respond anymore after a very long time power on. The M3CR046 firmware fixed that problem. In their own words;

M3CR046 is an optional update which repairs a hang condition occurring under corner-case workloads. Most Windows desktop and notebook users will be unaffected by this change.
Click to expand...
I installed the mx500 on an old lenovo laptop replacing a dramless ssd. It works fine but freezes randomly after screen lock. Sometimes once every day and today twice. I just updated the firmware to M3CR047 using storage executive. Had to run crystaldiskmark in the background to write to the SSD else it won't update?
The error msg is:

"Firmware Update Error Command aborted by the drive Firmware Update Error API Message: Upgrading drive Drive0 [Serial No. 2415E8A6D747] to M3CR047 Firmware Update on Drive0 failed with status 12"

Have to Run crystaldiskmark in the back ground before it can update firmware.
 
You must log in or register to reply here.
Back
Top