Unquoted Search Path Vulnerability in CANVIO Premium and Slim Hard Drives
CVE-2020-5569

8.4HIGH

Key Information:

Vendor
Toshiba
Status
Hdd Password Tool (for Windows)
Vendor
CVE Published:
20 April 2020

Summary

An unquoted search path vulnerability in the HDD Password tool for Windows allows attackers to exploit the improper handling of file paths. This issue affects various models of Toshiba's CANVIO Premium and Slim external hard drives. The vulnerability arises because the tool registers Windows services using unquoted paths, which can lead to the execution of malicious executables placed in specific directories. This poses a significant risk, particularly for systems with the affected versions downloaded prior to May 10, 2020.

Affected Version(s)

HDD Password tool (for Windows) version 1.20.6620 and earlier which is stored in CANVIO PREMIUM 3TB(HD-MB30TY, HD-MA30TY, HD-MB30TS, HD-MA30TS), CANVIO PREMIUM 2TB(HD-MB20TY, HD-MA20TY, HD-MB20TS, HD-MA20TS), CANVIO PREMIUM 1TB(HD-MB10TY, HD-MA10TY, HD-MB10TS, HD-MA10TS), CANVIO SLIM 1TB(HD-SB10TK, HD-SB10TS), and CANVIO SLIM 500GB(HD-SB50GK, HD-SA50GK, HD-SB50GS, HD-SA50GS), and which was downloaded before 2020 May 10

References

https://www.canvio.jp/news/20200420.htm
x_refsource_MISC
https://jvn.jp/en/jp/JVN13467854/index.html
x_refsource_MISC

CVSS V3.1

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.