@Crucial_AgentC

As a former embedded developer, I find this vulnerability extremely suspicious. It looks to me very much like a deliberately-written backdoor.

Would I be correct in presuming that the firmware in the vulnerable drives were originally written by the controller vendor (Marvell in this case, I believe) and then customised by Micron?

Has the firmware in your drives ever had a security audit? Does Micron have any plans to have their firmware audited for security issues in the future?

Yes, it really looks like a deliberate backdoor.

Hard to imagine an engineer skilled enough to implement a complex system as Opal Tcg would compare two passwords to grant access instead of using the password to decrypt DEK (Drive Encryption Key).

But we will never know how this really happened, could still be a mistake.

Sorry for any mistakes. English is not my native language

On twitter on of the authors of https://www.ru.nl/publish/pages/909275/draft-paper_1.pdf wrote

Bernard van Gastel‏ @bvgastel 23h23 hours ago

Thank you for your question. The response given by @bogdan was correct, the MU05 firmware for the MX200 and the MU03 for the MX100 in May of 2018. This is the latest update and contains the fix for the vulnerability. 

Crucial_AgentC, Micron CPG Support, US


How do I know what memory to buy?
Shop for your region: US | UK | EU | France |
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?

Hello Crucial_AgentC,

Update MU05 preserved both data and password.
Could you please explain how it is possible to create linkage between password and DEK (Drive Encryption Key) without erasing the drive and setting a new password ?

Sorry for any mistakes. English is not my native language.

Firmware updates to resolve potential security vulnerabilities are in development and will be available soon. Please check back towards the end of November for updates to the MX300 firmware.

Crucial_Benny, Micron CPG Support, US


How do I know what memory to buy?
Shop for your region: US | UK | EU | France |
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?

Repeating what bodgan asked, is the M500 and M550 is also affected?  Most likely considering the MX100, MX200 and MX300's firmware were derived from the 2 earlier drives and all use Marvell based controllers.

Will the M500 and M500 get security fixes?

@Guest2 only the MX100, MX200, and MX300 were effected by this. Firmware updates were rolled out for the MX100 and MX200 in May, so as long as you have the most recent firmware on those drives they are secure. The MX300 is last drive waiting on the update. This issue does not effect the current line of drives, including the MX500.

Crucial_Benny, Micron CPG Support, US


How do I know what memory to buy?
Shop for your region: US | UK | EU | France |
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?