11-09-2018 11:21 AM
Thank you for contacting us. The MX500 is not affected by the vulnerability in the news lately.
11-09-2018 12:12 PM
As a former embedded developer, I find this vulnerability extremely suspicious. It looks to me very much like a deliberately-written backdoor.
Would I be correct in presuming that the firmware in the vulnerable drives were originally written by the controller vendor (Marvell in this case, I believe) and then customised by Micron?
Has the firmware in your drives ever had a security audit? Does Micron have any plans to have their firmware audited for security issues in the future?
11-09-2018 02:01 PM
Yes, it really looks like a deliberate backdoor.
Hard to imagine an engineer skilled enough to implement a complex system as Opal Tcg would compare two passwords to grant access instead of using the password to decrypt DEK (Drive Encryption Key).
But we will never know how this really happened, could still be a mistake.
Sorry for any mistakes. English is not my native language
11-09-2018 03:19 PM
On twitter on of the authors of https://www.ru.nl/publish/pages/909275/draft-paper_1.pdf wrote
About that SSD research we did: we sort of stumbled into it. Just by being curious how SSDs would work, as a hobby project for off hours. We assumed nothing, and tested every assumption. Then one evening we discussed encryption, while riding our bikes, and 15 min later we were in
11-09-2018 04:55 PM
Thank you for your question. The response given by @bogdan was correct, the MU05 firmware for the MX200 and the MU03 for the MX100 in May of 2018. This is the latest update and contains the fix for the vulnerability.
11-10-2018 05:12 AM
Update MU05 preserved both data and password.
Could you please explain how it is possible to create linkage between password and DEK (Drive Encryption Key) without erasing the drive and setting a new password ?
Sorry for any mistakes. English is not my native language.
11-13-2018 08:10 AM
Firmware updates to resolve potential security vulnerabilities are in development and will be available soon. Please check back towards the end of November for updates to the MX300 firmware.
11-13-2018 07:00 PM
Repeating what bodgan asked, is the M500 and M550 is also affected? Most likely considering the MX100, MX200 and MX300's firmware were derived from the 2 earlier drives and all use Marvell based controllers.
Will the M500 and M500 get security fixes?
11-14-2018 08:26 AM - edited 11-14-2018 08:26 AM
@Guest2 only the MX100, MX200, and MX300 were effected by this. Firmware updates were rolled out for the MX100 and MX200 in May, so as long as you have the most recent firmware on those drives they are secure. The MX300 is last drive waiting on the update. This issue does not effect the current line of drives, including the MX500.