Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Self-Encrypting Drives Vulnerabilities (CVE-2018-12037 and CVE-2018-12038): Mitigation steps for Dell Encryption products

Summary: Solid state drive Vulnerability 395981 what are the Mitigating Concerns.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Affected Products:

  • Dell Encryption Enterprise
  • Dell Encryption Personal
  • Dell Endpoint Security Suite
  • Dell Endpoint Security Suite Enterprise
  • Dell Encryption - BitLocker Manager
  • Dell Encryption - Self-Encrypting Drive Management

Dell is aware of reports of vulnerabilities in the hardware encryption of certain self-encrypting solid state drives as described in Vulnerability Note VU# 395981 This hyperlink is taking you to a website outside of Dell Technologies.. We are investigating the possible impact of these vulnerabilities on our products and provide updates as quickly as possible. Our first priority is protecting our customers and ensuring the security of their data and computers.

The vulnerability that is outlined in note VU#395981 defines characteristics of a vulnerability that may allow access to drives protected by hardware-accelerated BitLocker implementations, commonly referenced as eDrive, along with many SEDs.

Drives managed by BitLocker with hardware-accelerated encryption are based on the eDrive specification, which may not necessarily mean they are Self-Encrypting Drives (SED). The eDrive specification requires IEEE 1667 compliance, which differs from the OPAL2 specification of many Self-Encrypting Drive management technologies.

The specification requirements for eDrive (the Microsoft name for the hardware-accelerated BitLocker) are found here: https://docs.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive This hyperlink is taking you to a website outside of Dell Technologies..

This vulnerability does also affect some SEDs, many of which fall under the TCG OPAL and OPAL2 specification, which is defined here: https://trustedcomputinggroup.org/resource/storage-work-group-storage-security-subsystem-class-opal/ This hyperlink is taking you to a website outside of Dell Technologies..

This vulnerability affects the disks themselves and not the Dell Encryption software, and not all drives are affected by this vulnerability. Dell is working with its vendors to determine the impact and ensure that remediation plans are in place for affected drives.

Mitigating vulnerability concerns with Dell Encryption

For customers using the Dell Self-Encrypting Drive Management solution, Dell suggests adding an extra layer of security to their computers. This is done by layering Dell Policy Based Encryption onto computers with drives that have been identified as potentially vulnerable until updated firmware for these disks is available.

Devices running Policy Based Encryption on an SED can enable the ability to encrypt the SEDs with the System Data Encryption key. For more information, reference: How to Enable SDE Encryption for Dell Encryption Enterprise or Dell Encryption Personal on Systems With Self-Encrypting Drives.

Alternatively, the hardware-based encryption could be replaced as a software-based encryption from BitLocker if a whole-volume encryption solution is required.

How to disable hardware-based acceleration for BitLocker with Dell Encryption

Customers with Dell's BitLocker Manager who are concerned that they may be vulnerable to the issues described in VU#395981 can mitigate risk by updating their policies. Disabling the policies through the Dell Security Management Server of Use Hardware-Based Encryption for Fixed Data Drives, and the same policy for operating system drives and removable drives (each drive type has a similar policy to leverage Hardware Acceleration, if available) disables the ability for the hardware-accelerated encryption to be leveraged on these drives. If a drive had been leveraging eDrive or Hardware-accelerated encryption for protection, the drive decrypts and reencrypts the data with a software-based methodology.

These policies are endpoint-based policies and are located within the BitLocker Encryption policy set within the respective category for the drive type (Operating System Volume, Fixed Data Volume, Removable Storage). For more information about modifying a policy within the Dell Security Management Server, reference: How To Modify Policies on the Dell Data Protection Server

For customers who are not running the Dell Data Security Management Server, the settings to allow for hardware-based encryption (if it is available on drives) can be managed using GPO or Registry entries. This data can be found for GPOs at Microsoft’s site here, under the policies for:

How do I determine if an endpoint may be affected?

For those who want to quickly find if drives may be vulnerable, Dell can provide the DellOpalCheckerLite, a utility that can be used, using a script to identify SEDs and determine their status.

Note: This utility can be provided by Dell Data Security ProSupport using Chat (US only) or by phone, found at the links at the bottom of this article.

The DellOpalCheckerLite can be ran using command line. It needs the drive number for the disk that one wishes to analyze; for example, to analyze the first disk that is presented to the operating system, which is commonly the operating system drive, you can use the syntax:

DellOpalCheckerLite.exe 0

If additional disk numbers are present, additional lines can be provided in a script to output the status for other disks in the computer.

For each instance the DellOpalCheckerLite is run, the ERRORLEVEL computer variable is updated and can be called to analyze the status of the disk.

This list contains the output values from running the DellOpalCheckerLite:

SUPPORTED_NOT_OWNED 0 Test indicates that installation would succeed.
NOT_SUPPORTED 1 Test indicates that this disk is not supported.
SUPPORTED_OWNED 2 Test indicates that disk is supported, but AdminSP already owned.
COMPATIBILITY_ERROR 3 Test indicates some compatibility problem.
NO_OPAL_DISK 4 Test indicates this is no Opal disk.
LOCKINGSP_ACTIVE_NOT_OWNED 6 Test indicates locking SP active, and AdminSP has SID == MSID (Previous test may have failed).
LOCKINGSP_ACTIVE_OWNED_TESTSID 7 Test indicates locking SP active, but AdminSP already owned by the DellOpalChecker testing SID (Previous test may have failed).
OTHER_ERROR 50 Some other unspecified error
PARAMETER_ERROR 100 Invalid parameter
MUST_BE_ADMINISTRATOR 101 Program execution level must be Administrator to perform test.

Here is an example output of a drive that is OPAL and is supported (Return code ERRORLEVEL = 0).

Example of ERRORLEVEL = 0

Note: Dell Encryption Policy Based Encryption client, software-based Full Disk Encryption client, and Dell Data Guardian are not exposed to this sort of vulnerability as they do not use the hardware-accelerated encryption of these drives.

For more information about this vulnerability, and notes by specific manufacturers, reference:

United States Computer Emergency Readiness Team: https://www.us-cert.gov/ncas/current-activity/2018/11/06/Self-Encrypting-Solid-State-Drive-Vulnerabilities This hyperlink is taking you to a website outside of Dell Technologies.

Samsung: https://www.samsung.com/semiconductor/minisite/ssd/support/consumer-notice/ This hyperlink is taking you to a website outside of Dell Technologies.

Crucial: http://www.crucial.com/usa/en/support-ssd This hyperlink is taking you to a website outside of Dell Technologies.

Further information about the vulnerability: https://www.kb.cert.org/vuls/id/395981/ This hyperlink is taking you to a website outside of Dell Technologies.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Dell Encryption, Dell Endpoint Security Suite Pro, Dell Endpoint Security Suite Enterprise
Article Properties
Article Number: 000130689
Article Type: How To
Last Modified: 04 Nov 2024
Version:  10
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.