Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

VeraCrypt Patches Vulnerabilities Following Audit

A recently conducted security assessment of VeraCrypt has revealed over 25 security vulnerabilities in the popular encryption platform, including a critical cryptography flaw.

A recently conducted security assessment of VeraCrypt has revealed over 25 security vulnerabilities in the popular encryption platform, including a critical cryptography flaw.

Funded by OSTIF (The Open Source Technology Improvement Fund), the assessment was performed by two Quarkslab senior researchers, Jean-Baptiste Bédrune and Marion Videau. Between Aug. 16 and Sep. 14, 2016, the two focused mainly on the new features that were introduced following last year’s audit of TrueCrypt.

Derived from the now discontinued TrueCrypt, VeraCrypt is a disk encryption software developed by IDRIX that not only focused on resolving vulnerabilities, but also on introducing new features. The security researchers analyzed version 1.18 of the software, and version 1.19 has already released to resolve the discovered issues.

Some of the introduced features include: support of UEFI, non-Western cryptographic algorithms (Camellia, Kuznyechik, GOST 28147-89, Streebog), volume expander, “Personal Iterations Multiplier,” support of UNICODE on Windows, use of StrSafe functions instead of string.h, gathering of entropy on mouse movements at each random number generation.

The Quarkslab researchers first focused on assessing the manner in which VeraCrypt resolved the vulnerabilities discovered in TrueCrypt and revealed that all of those brought to light by last year’s audit have been correctly fixed, except for a minor fix for one of them.

“In particular, the problem leading to a privilege escalation discovered by James Forshaw in the TrueCrypt driver just after the OCAP audit has been solved,” the researchers noted in their security assessment (PDF).

However, the researchers explain that the flaws that require “substantial modifications of the code or the architecture of the project” haven’t been patched, including the AES implementation that is susceptible to cache-timing attacks. Moreover, vulnerabilities leading to incompatibility with TrueCrypt have not been fixed.

A keyfile mixing not being cryptographically sound bug was one of the most notable issues found by the audit, a result of the fact that the manner in which the keyfiles are mixed to derive secret data relies on non-cryptographic mechanisms. There is also an unauthenticated ciphertext in volume headers flaw, where the lack of a real MAC on the volume headers makes existential forgeries possible with approximately 232 queries.

Advertisement. Scroll to continue reading.

The researchers also discovered a series of new issues that must be corrected quickly, such as the availability of GOST 28147-89, a symmetric block cipher with a 64-bit block size. Added in VeraCrypt 1.18, the algorithm has been removed in version 1.19.

Moreover, the audit discovered that compression libraries are outdated or poorly written and that they must be updated or replaced. On top of that, researchers reveal that, if the system is encrypted, the boot password (in UEFI mode) or its length (in legacy mode) could be retrieved by an attacker, and they say that the UEFI loader is not mature yet, but that this is not causing security problems from a strict cryptographic point of view.

Despite these issues, however, the security researchers say that VeraCrypt evolved in a good direction and that assessment conclusions are taken into consideration. The overall security of the project is improving and the results are beneficial for people interested in using a disk encryption software.

“VeraCrypt is a project hard to maintain. Deep knowledge of several operating systems, the Windows kernel, the system boot chain and good concepts in cryptography are required. The improvements made by IDRIX demonstrate the possession of these skills,” the two researchers said.

Related: TrueCrypt Provides Good Data Protection: Audit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...