“These include the AES implementation, which is still susceptible to cache-timing attacks, and the issues in TC_IOCTL_OPEN_TEST that need to change the application behavior,” Quarkslab said, adding also that vulnerabilities leading to TrueCrypt incompatibility related to crypto mechanisms have also not yet been addressed. Quarkslab said in a blog post announcing the results that vulnerabilities requiring substantial code work or re-architecting have also not been fixed. An attacker can gain full administrative privileges by abusing this flaw, Idrassi said. VeraCrypt developer Mounir Idrassi told Threatpost a year ago that the driver does not properly validate the drive letter symbolic link used to mount volumes. The audit confirmed that all of the vulnerabilities found in the OCAP audit have been fixed in VeraCrypt except for one issue labeled as “minor.” This includes a pair of privilege escalation issues disclosed by Google Project Zero researcher James Forshaw.įorshaw disclosed the bugs, both rated critical, after the conclusion of the OCAP audit one of the vulnerabilities found in the TrueCrypt driver was more severe. The remainder of the assessment was a look into the VeraCrypt’s existing code and new features, including UEFI support, support for non-Western crypto algorithms, and more. Part of the VeraCrypt audit was to assure that any vulnerabilities identified in the OCAP audit of TrueCrypt were patched in VeraCrypt. TrueCrypt was soon thereafter audited by the Open Crypto Audit Project and a number of vulnerabilities were uncovered, but no backdoors as was feared in the aftermath of the initial Snowden leaks. The examination was carried out against VeraCrypt 1.18 VeraCrypt is a fork of TrueCrypt, the once-popular and de facto standard for free FDE, which was abandoned in 2014 under mysterious circumstances as the project’s maintainers said the code was no longer safe to use. 16, was funded by the Open Source Technology Improvement Fund (OSTIF) and executed by two researchers at Quarkslab. An audit of open source file and disk encryption package VeraCrypt turned up a number of critical vulnerabilities that have been patched in the month since the assessment was wrapped up.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |