CVE-2021-36750 Overview
CVE-2021-36750 is a cryptographic vulnerability affecting ENC DataVault before version 7.2 and VaultAPI v67 that involves improper key derivation handling. This weakness makes it significantly easier for attackers to determine the passwords of all DataVault users, compromising data protection across USB drives sold under multiple brand names including SanDisk SecureAccess.
Critical Impact
Attackers can potentially recover passwords for all DataVault users due to flawed key derivation implementation, compromising the confidentiality of encrypted data stored on affected USB devices across multiple hardware vendors.
Affected Products
- ENC DataVault (versions before 7.2)
- ENC VaultAPI (version 67 and earlier)
- SanDisk SecureAccess (version 3.02)
Discovery Timeline
- 2021-12-22 - CVE CVE-2021-36750 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-36750
Vulnerability Analysis
This vulnerability falls under CWE-307 (Improper Restriction of Excessive Authentication Attempts), though the core issue relates to weak key derivation practices. The flawed key derivation mechanism in ENC DataVault and VaultAPI allows attackers to more easily determine user passwords through cryptographic analysis.
The vulnerability affects the encryption software bundled with USB storage devices from multiple manufacturers. When users create encrypted vaults on their USB drives, the software derives encryption keys from user-supplied passwords. The weakness in this derivation process means the resulting keys do not provide the expected level of entropy or computational resistance to password recovery attacks.
This impacts users across multiple product lines since ENC Security provides the encryption technology that is white-labeled by various hardware vendors, including Western Digital's SanDisk SecureAccess product line.
Root Cause
The root cause lies in the mishandling of the key derivation function (KDF) implementation. Proper key derivation should transform a user password into a cryptographic key in a way that is computationally expensive to reverse or brute-force. The vulnerable implementation fails to provide adequate protection, reducing the effective security of the password-based encryption scheme.
Weak key derivation implementations may use insufficient iteration counts, weak or predictable salts, or deprecated algorithms that do not meet modern cryptographic standards. This allows attackers with access to the encrypted vault data to perform efficient password guessing attacks.
Attack Vector
The attack requires network access and low privileges to execute. An attacker who obtains access to encrypted vault data stored on affected USB drives can exploit the weak key derivation to perform accelerated password recovery attacks. This could occur through:
- Physical access to a lost or stolen USB drive
- Access to backup copies of vault data
- Network interception if vault data is transmitted over a network
The vulnerability allows attackers to determine passwords with significantly less computational effort than would be required against a properly implemented key derivation function. This enables practical password recovery attacks against what users believed to be securely encrypted data.
Detection Methods for CVE-2021-36750
Indicators of Compromise
- Presence of ENC DataVault versions prior to 7.2 on USB storage devices
- SanDisk SecureAccess version 3.02 installations on workstations
- VaultAPI v67 or earlier in software inventories
- Encrypted vault files created with vulnerable software versions
Detection Strategies
- Inventory all USB encryption software deployed within the organization and verify version numbers against affected versions
- Monitor for the presence of ENC DataVault or SanDisk SecureAccess executables and check their version metadata
- Implement endpoint detection rules to flag systems with vulnerable encryption software installed
- Review software asset management databases for affected product entries
Monitoring Recommendations
- Establish a process to track encryption software versions on removable media devices
- Implement alerts for use of deprecated or vulnerable encryption tools
- Monitor security advisories from ENC Security and Western Digital for updates
- Consider network monitoring for vault file transfers that may expose encrypted data to interception
How to Mitigate CVE-2021-36750
Immediate Actions Required
- Update ENC DataVault to version 7.2 or later immediately
- Update SanDisk SecureAccess to the latest patched version per the Western Digital Security Update
- Re-encrypt all vault data using updated software to ensure new key derivation is applied
- Change passwords on all affected vaults after software update
Patch Information
ENC Security has released updated software to address this vulnerability. Users should obtain the latest version from the Zendesk Software Update page. Western Digital has also issued updates for SanDisk SecureAccess users through their Security Advisory.
After updating the software, existing encrypted vaults should be migrated to new vaults created with the patched software to benefit from the improved key derivation. Simply updating the software does not retroactively fix vaults created with the vulnerable implementation.
Workarounds
- Avoid using affected encryption software until patches can be applied
- Consider alternative full-disk encryption solutions for sensitive USB storage needs
- Store encrypted vault files only on systems with strong access controls to limit exposure
- Implement strong, unique passwords exceeding 20 characters to partially mitigate weak key derivation
- Treat data encrypted with vulnerable versions as potentially compromised if the device was lost or accessed by untrusted parties
# Verification steps for SanDisk SecureAccess
# Check installed version on Windows
dir "C:\Program Files\SanDisk\SecureAccess" /s
# Verify version information in application properties
# Right-click executable > Properties > Details > File version
# Ensure version is newer than 3.02
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
