CVE-2022-23005: Host Boot ROM Code Vulnerability in Systems Implementing UFS Boot Feature
First published: Mon Jan 23 2023(Updated: )
Western Digital has identified a weakness in the UFS standard that could result in a security vulnerability. This vulnerability may exist in some systems where the Host boot ROM code implements the UFS Boot feature to boot from UFS compliant storage devices. The UFS Boot feature, as specified in the UFS standard, is provided by UFS devices to support platforms that need to download the system boot loader from external non-volatile storage locations. Several scenarios have been identified in which adversaries may disable the boot capability, or revert to an old boot loader code, if the host boot ROM code is improperly implemented. UFS Host Boot ROM implementers may be impacted by this vulnerability. UFS devices are only impacted when connected to a vulnerable UFS Host and are not independently impacted by this vulnerability. When present, the vulnerability is in the UFS Host implementation and is not a vulnerability in Western Digital UFS Devices. Western Digital has provided details of the vulnerability to the JEDEC standards body, multiple vendors of host processors, and software solutions providers.
Credit: psirt@wdc.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jedec Universal Flash Storage | ||
| Westerndigital Inand Eu311 Mobile Mc Ufs | ||
| Westerndigital Inand Eu312 Automotive Xa At Ufs | ||
| Westerndigital Inand Eu312 Industrial Ix Ufs |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-host-boot-rom-code-vulnerability-and-mitigation.pdf
- https://www.westerndigital.com/support/product-security/wdc-23001-host-boot-rom-code-vulnerability-in-systems-implementing-ufs-boot-feature
Frequently Asked Questions
What is CVE-2022-23005?
CVE-2022-23005 is a vulnerability identified in the UFS standard that could result in a security vulnerability.
How does CVE-2022-23005 affect Western Digital products?
Western Digital products that implement the UFS Boot feature to boot from UFS compliant storage devices may be affected by CVE-2022-23005.
What is the severity of CVE-2022-23005?
CVE-2022-23005 has a severity rating of 8.7 (high).
How do I check if my Western Digital product is affected by CVE-2022-23005?
To check if your Western Digital product is affected, refer to the Western Digital support page provided in the references.
What can I do to mitigate the vulnerability CVE-2022-23005?
Follow the mitigation steps provided in the Western Digital white paper linked in the references to mitigate the vulnerability.
- collector/nvd-index
- agent/weakness
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/last-modified-date
- agent/tags
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- vendor/jedec
- canonical/jedec universal flash storage
- vendor/westerndigital
- canonical/westerndigital inand eu311 mobile mc ufs
- canonical/westerndigital inand eu312 automotive xa at ufs
- canonical/westerndigital inand eu312 industrial ix ufs