Crucial MX500 SSD firmware susceptible to buffer overflow security vulnerability

A security vulnerability has been discovered in Crucial's MX500 SSDs, enabling data leakage that could potentially expose sensitive data. A user on the TechPowerUp forums discovered that the MX500 is vulnerable to buffer overflow, which causes this data leakage to occur.

This security vulnerability is dangerous because an attacker can trigger buffer overflow manually through specially crafted ATA packets from the host to the drive controller, as NIST explains. In technical terms, a buffer overflow is a software error that occurs when a program attempts to write more data to a memory buffer than what the buffer can physically hold. This reaction causes the program to overwrite adjacent memory buffers, erasing and replacing existing data with new data.

As Fortinet explains, extra data added to the adjacent memory buffer can hold malicious code that an attacker who put it there intentionally can exploit. Buffer overflow exploits can enable an attacker to gain full control over the machine and/or program they are attacking.

The vulnerability has been recorded as CVE-2024-42642. Crucial has yet to officially announce this vulnerability in its MX500 SSDs, and no one knows which firmware variants are affected. The most optimal case we can assume is that Crucial is working on a firmware update behind closed doors and will announce it once it's complete.

The Crucial MX500 series is an old SSD lineup that debuted in 2018. The lineup currently comprises 250GB, 500GB, 1TB, 2TB, and 4TB models. The 1TB model can be had for as little as $86, and the 4TB for as little as $269.99. The MX500 series consists entirely of SATA-III 2.5-inch form factor models featuring a maximum sequential read speed of 560MB/s.