Western Digital SSD Dashboard Setup, Privilege Escalation
WDC Tracking Number: WDC-20001
Product Line/Web: WesternDigitalSSDDashboardSetup.exe and SanDiskSSDDashboardSetup.exe
Published: February 10, 2020
Last Updated: February 10, 2020
The Western Digital and SanDisk SSD Dashboard installer versions prior to 18.104.22.168 have a DLL hijacking vulnerability. If an attacker knows which DLLs a program loads, a malicious DLL can be injected into the loading process. Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the system user. An update that addresses the vulnerability is available.
To install or uninstall SanDisk SSD Dashboard or Western Digital SSD Dashboard, please download and run the latest version of the installer.
The affected versions of Western Digital and SanDisk SSD Dashboard installers are vulnerable to DLL search order hijacking, which allow malicious users to escalate user privileges upon execution of the installer. Using the updated installers to install or uninstall the application will mitigate this potential vulnerability.
CVE Number: CVE-2020-8959
Reported by: Eli Paz and Eran Shimony of Cyberark Labs.