CVE-2022-28382

Name of the Vulnerable Software and Affected Versions Verbatim Keypad Secure USB 3.2 Gen 1 Drive versions through 2022-03-31 Verbatim Store 'n' Go Secure Portable HDD GD25LK01-3637-C versions through VER4.0 Verbatim Executive Fingerprint Secure SSD GDMSFE01-INI3637-C versions through VER1.1 Verbatim Fingerprint Secure Portable Hard Drive versions through 2022-03-31

Description An issue was discovered in certain Verbatim drives due to the use of an insecure encryption AES mode, Electronic Codebook (ECB). This allows an attacker to extract information from encrypted data by observing repeating byte patterns. The firmware of the USB-to-SATA bridge controller INIC-3637EN uses AES-256 with the ECB mode, which always encrypts identical plaintext data to identical ciphertext data. For some data, such as bitmap images, the lack of diffusion within ECB can leak sensitive information even in encrypted data.

Recommendations For Verbatim Keypad Secure USB 3.2 Gen 1 Drive, consider disabling the use of AES-256 with ECB mode until a secure alternative is implemented. For Verbatim Store 'n' Go Secure Portable HDD GD25LK01-3637-C, restrict access to sensitive data stored on the device until a patch or update is available. For Verbatim Executive Fingerprint Secure SSD GDMSFE01-INI3637-C, avoid storing sensitive information, such as bitmap images, on the device until the issue is resolved. For Verbatim Fingerprint Secure Portable Hard Drive, as a temporary workaround, consider using alternative encryption methods or storing sensitive data on a different device until a fix is available.