CryptWare has released an update for its “CryptoPro Secure Disk for BitLocker” tool after researchers discovered a couple of serious vulnerabilities that can allegedly be exploited to backdoor the system and steal sensitive data.
CryptWare’s CryptoPro Secure Disk is a product designed to enhance the functionality of BitLocker, the full disk encryption feature made available by Microsoft for some versions of Windows. CryptoPro Secure Disk provides BitLocker users several new features, including PreBoot Authentication (PBA), and support for UID/password and smartcard/PIN authentication.
An advisory published on Wednesday by IT security services and consulting company SEC Consult shows that the application is affected by two vulnerabilities that can be exploited by an attacker who has physical access to the targeted system.
The first vulnerability can be exploited to access a root shell at boot and execute arbitrary commands. The output of the executed commands is not visible, but the attacker can connect the targeted machine to a DHCP server that assigns it an IP address and then bind the root shell to port 8197. Connecting to port 8197 allows the attacker to view the output of the commands they execute, researchers said.
The flaw exists because CryptoPro Secure Disk does not properly block terminal access. When installed, the product creates a new partition that runs a small Linux operating system, which gets booted before BitLocker code is executed. A local attacker can use a keyboard shortcut to launch a terminal and execute commands.
The second vulnerability found by SEC Consult is caused by inadequate verification mechanisms. At startup, a script compares the checksum of the files on the system with a preconfigured list and the boot process is halted if invalid files are detected. However, experts identified a design flaw that can be exploited to modify files on the system and still be able to bypass the verification process.
Researchers believe this flaw can be leveraged to backdoor the system and steal sensitive information, including BitLocker and domain credentials, and the certificate used for 802.1x authentication.
“The attacker only needs a few seconds in front of the custom CryptWare login screen of the laptop to conduct the attack. You only need time to write one command or plugin an ‘automated keyboard’ which writes the command like a rubber ducky – e.g. via your mobile phone with Kali Nethunter (‘may I charge my phone?’),” Johannes Greil, senior security consultant at SEC Consult, told SecurityWeek.
“A realistic attack scenario is: The attacker visits the victim in his office, the victim leaves the room for a short moment. Because the computer is at the login screen (or turned off) the victim thinks nothing can happen in the short time,” Greil explained. “The attacker plugs in a manipulated USB stick (rubber ducky) or mobile phone, the system automatically gets infected and backdoored. As soon as the victim continues his work, the attacker has access to the login credentials/certificate.”
The vulnerabilities were reported to CryptWare on August 1 and they were patched roughly one week later with the release of CryptoPro Secure Disk 5.2.1. The company told SecurityWeek that the improper verification issue did not allow an attacker to access data encrypted in Windows and claims it only exposed IP addresses.
Related: Attackers Can Target Enterprises via GroupWise Collaboration Tool