Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

VeraCrypt Patches Vulnerabilities Following Audit

A recently conducted security assessment of VeraCrypt has revealed over 25 security vulnerabilities in the popular encryption platform, including a critical cryptography flaw.

A recently conducted security assessment of VeraCrypt has revealed over 25 security vulnerabilities in the popular encryption platform, including a critical cryptography flaw.

Funded by OSTIF (The Open Source Technology Improvement Fund), the assessment was performed by two Quarkslab senior researchers, Jean-Baptiste Bédrune and Marion Videau. Between Aug. 16 and Sep. 14, 2016, the two focused mainly on the new features that were introduced following last year’s audit of TrueCrypt.

Derived from the now discontinued TrueCrypt, VeraCrypt is a disk encryption software developed by IDRIX that not only focused on resolving vulnerabilities, but also on introducing new features. The security researchers analyzed version 1.18 of the software, and version 1.19 has already released to resolve the discovered issues.

Some of the introduced features include: support of UEFI, non-Western cryptographic algorithms (Camellia, Kuznyechik, GOST 28147-89, Streebog), volume expander, “Personal Iterations Multiplier,” support of UNICODE on Windows, use of StrSafe functions instead of string.h, gathering of entropy on mouse movements at each random number generation.

The Quarkslab researchers first focused on assessing the manner in which VeraCrypt resolved the vulnerabilities discovered in TrueCrypt and revealed that all of those brought to light by last year’s audit have been correctly fixed, except for a minor fix for one of them.

“In particular, the problem leading to a privilege escalation discovered by James Forshaw in the TrueCrypt driver just after the OCAP audit has been solved,” the researchers noted in their security assessment (PDF).

However, the researchers explain that the flaws that require “substantial modifications of the code or the architecture of the project” haven’t been patched, including the AES implementation that is susceptible to cache-timing attacks. Moreover, vulnerabilities leading to incompatibility with TrueCrypt have not been fixed.

A keyfile mixing not being cryptographically sound bug was one of the most notable issues found by the audit, a result of the fact that the manner in which the keyfiles are mixed to derive secret data relies on non-cryptographic mechanisms. There is also an unauthenticated ciphertext in volume headers flaw, where the lack of a real MAC on the volume headers makes existential forgeries possible with approximately 232 queries.

The researchers also discovered a series of new issues that must be corrected quickly, such as the availability of GOST 28147-89, a symmetric block cipher with a 64-bit block size. Added in VeraCrypt 1.18, the algorithm has been removed in version 1.19.

Moreover, the audit discovered that compression libraries are outdated or poorly written and that they must be updated or replaced. On top of that, researchers reveal that, if the system is encrypted, the boot password (in UEFI mode) or its length (in legacy mode) could be retrieved by an attacker, and they say that the UEFI loader is not mature yet, but that this is not causing security problems from a strict cryptographic point of view.

Despite these issues, however, the security researchers say that VeraCrypt evolved in a good direction and that assessment conclusions are taken into consideration. The overall security of the project is improving and the results are beneficial for people interested in using a disk encryption software.

“VeraCrypt is a project hard to maintain. Deep knowledge of several operating systems, the Windows kernel, the system boot chain and good concepts in cryptography are required. The improvements made by IDRIX demonstrate the possession of these skills,” the two researchers said.

Related: TrueCrypt Provides Good Data Protection: Audit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.