NVD

CVE-2022-23005 Detail

Modified

This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.

Description

Western Digital has identified a weakness in the UFS standard that could result in a security vulnerability. This vulnerability may exist in some systems where the Host boot ROM code implements the UFS Boot feature to boot from UFS compliant storage devices. The UFS Boot feature, as specified in the UFS standard, is provided by UFS devices to support platforms that need to download the system boot loader from external non-volatile storage locations. Several scenarios have been identified in which adversaries may disable the boot capability, or revert to an old boot loader code, if the host boot ROM code is improperly implemented. UFS Host Boot ROM implementers may be impacted by this vulnerability. UFS devices are only impacted when connected to a vulnerable UFS Host and are not independently impacted by this vulnerability. When present, the vulnerability is in the UFS Host implementation and is not a vulnerability in Western Digital UFS Devices. Western Digital has provided details of the vulnerability to the JEDEC standards body, multiple vendors of host processors, and software solutions providers.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

CNA: Western Digital

Base Score: 8.7 HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Hyperlink	Resource
https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-host-boot-rom-code-vulnerability-and-mitigation.pdf	Exploit Technical Description Vendor Advisory
https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-host-boot-rom-code-vulnerability-and-mitigation.pdf	Exploit Technical Description Vendor Advisory
https://www.westerndigital.com/support/product-security/wdc-23001-host-boot-rom-code-vulnerability-in-systems-implementing-ufs-boot-feature	Vendor Advisory
https://www.westerndigital.com/support/product-security/wdc-23001-host-boot-rom-code-vulnerability-in-systems-implementing-ufs-boot-feature	Vendor Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-662	Improper Synchronization	NIST
CWE-1262	Improper Access Control for Register Interface	Western Digital
CWE-1224	Improper Restriction of Write-Once Bit Fields	Western Digital
CWE-1233	Security-Sensitive Hardware Controls with Missing Lock Bit Protection	Western Digital

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

3 change records found show changes

Initial Analysis by NIST 2/08/2023 2:14:16 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		NIST AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Added	CWE		NIST CWE-662
Added	CPE Configuration		AND OR cpe:2.3:a:jedec:universal_flash_storage:-::::::: OR cpe:2.3:h:westerndigital:inand_eu311_mobile_mc_ufs:-:::::::* cpe:2.3:h:westerndigital:inand_eu312_automotive_xa_at_ufs:-:::::::* cpe:2.3:h:westerndigital:inand_eu312_industrial_ix_ufs:-:::::::*
Changed	Reference Type	https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-host-boot-rom-code-vulnerability-and-mitigation.pdf No Types Assigned	https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-host-boot-rom-code-vulnerability-and-mitigation.pdf Exploit, Technical Description, Vendor Advisory
Changed	Reference Type	https://www.westerndigital.com/support/product-security/wdc-23001-host-boot-rom-code-vulnerability-in-systems-implementing-ufs-boot-feature No Types Assigned	https://www.westerndigital.com/support/product-security/wdc-23001-host-boot-rom-code-vulnerability-in-systems-implementing-ufs-boot-feature Vendor Advisory

Quick Info

CVE Dictionary Entry:
CVE-2022-23005
NVD Published Date:
01/23/2023
NVD Last Modified:
11/21/2024
Source:
Western Digital

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database