Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Vulnerabilities Found in CryptWare BitLocker Enhancement Tool

CryptWare has released an update for its “CryptoPro Secure Disk for BitLocker” tool after researchers discovered a couple of serious vulnerabilities that can allegedly be exploited to backdoor the system and steal sensitive data.

CryptWare has released an update for its “CryptoPro Secure Disk for BitLocker” tool after researchers discovered a couple of serious vulnerabilities that can allegedly be exploited to backdoor the system and steal sensitive data.

CryptWare’s CryptoPro Secure Disk is a product designed to enhance the functionality of BitLocker, the full disk encryption feature made available by Microsoft for some versions of Windows. CryptoPro Secure Disk provides BitLocker users several new features, including PreBoot Authentication (PBA), and support for UID/password and smartcard/PIN authentication.

An advisory published on Wednesday by IT security services and consulting company SEC Consult shows that the application is affected by two vulnerabilities that can be exploited by an attacker who has physical access to the targeted system.

The first vulnerability can be exploited to access a root shell at boot and execute arbitrary commands. The output of the executed commands is not visible, but the attacker can connect the targeted machine to a DHCP server that assigns it an IP address and then bind the root shell to port 8197. Connecting to port 8197 allows the attacker to view the output of the commands they execute, researchers said.

The flaw exists because CryptoPro Secure Disk does not properly block terminal access. When installed, the product creates a new partition that runs a small Linux operating system, which gets booted before BitLocker code is executed. A local attacker can use a keyboard shortcut to launch a terminal and execute commands.

The second vulnerability found by SEC Consult is caused by inadequate verification mechanisms. At startup, a script compares the checksum of the files on the system with a preconfigured list and the boot process is halted if invalid files are detected. However, experts identified a design flaw that can be exploited to modify files on the system and still be able to bypass the verification process.

Researchers believe this flaw can be leveraged to backdoor the system and steal sensitive information, including BitLocker and domain credentials, and the certificate used for 802.1x authentication.

“The attacker only needs a few seconds in front of the custom CryptWare login screen of the laptop to conduct the attack. You only need time to write one command or plugin an ‘automated keyboard’ which writes the command like a rubber ducky – e.g. via your mobile phone with Kali Nethunter (‘may I charge my phone?’),” Johannes Greil, senior security consultant at SEC Consult, told SecurityWeek.

Advertisement. Scroll to continue reading.

“A realistic attack scenario is: The attacker visits the victim in his office, the victim leaves the room for a short moment. Because the computer is at the login screen (or turned off) the victim thinks nothing can happen in the short time,” Greil explained. “The attacker plugs in a manipulated USB stick (rubber ducky) or mobile phone, the system automatically gets infected and backdoored. As soon as the victim continues his work, the attacker has access to the login credentials/certificate.”

The vulnerabilities were reported to CryptWare on August 1 and they were patched roughly one week later with the release of CryptoPro Secure Disk 5.2.1. The company told SecurityWeek that the improper verification issue did not allow an attacker to access data encrypted in Windows and claims it only exposed IP addresses.

Related: Attackers Can Target Enterprises via GroupWise Collaboration Tool

Related: Researcher Demonstrates Simple BitLocker Bypass

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

The Zero Day Dilemma

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...