TrueCrypt may be a fond memory for most of its users, but that hasn’t stopped researchers and hackers from poking about the open source encryption software.
Recently, researchers from Google’s Project Zero team uncovered a pair of elevation of privilege vulnerabilities in TrueCrypt, both of which were patched this weekend in VeraCrypt, one of the remaining free disk encryption software packages for Windows available. VeraCrypt is one of two projects that forked the last available TrueCrypt build—CipherShed being the other.
Researcher James Forshaw has not yet made public any details about the flaws, but said on his Twitter feed that the vulnerabilities, though not added intentionally into the codebase, are the type that could have slipped past a code audit and review.
Even though my #truecrypt bugs weren’t back doors it’s clear that it was possible to sneak them past an audit 😞
— James Forshaw (@tiraniddo) September 28, 2015
TrueCrypt last year famously shut down development of any new versions and updates after its mysterious and anonymous handlers pulled the plug on the project. This happened shortly after the Snowden revelations of 2013 kicked off a firestorm of concern over government backdoors in important software projects. TrueCrypt was audited by NCC Group Cryptography Services, and aside from a few code quality issues and security vulnerabilities, it was given a clean bill of health.
Both vulnerabilities were rated critical, but one of them, CVE-2015-7358, is more pressing than the other, said Mounir Idrassi, who runs VeraCrypt. A request to Google for additional comment was not returned in time for publication.
Idrassi said that an attacker could abuse the vulnerability, in which the TrueCrypt driver does not properly validate the drive letter symbolic link used for mounting volumes. An attacker can leverage a running process to get full administrative privileges.
“This is a critical issue since any process can call a [TrueCrypt] driver, which means that any process can get full admin privileges,” Idrassi said. “This can be exploited by a malware to get full access to the machine just by running on the context of a normal user. It also can be exploited to attack servers if TrueCrypt is installed and even if no volumes are mounted: it is enough to compromise the account of a normal user on this server to get remote access and from there run the exploit to get administrative rights and do nasty things on the server.”
The second vulnerability, CVE-2015-7359, occurs because the TrueCrypt driver does not validate the security context of the calling user, Idrassi said. This allows an attacker to impersonate another user on the same machine and allow them to dismount a VeraCrypt volume or change how the software is configured.
“This is not as critical as the first one. The only possible attack is on a shared machine (for example a server) where a user can dismount volumes mounted by others and he can also list all mounted volumes and get their properties (file location, partition, algorithms used, size…),” Idrassi said. “This can be used as a preliminary step for a more targeted attack, and it can also be used as a disruptive attack by dismounting volumes used by the system through the compromise of a normal user account.”
Idrassi said he agrees with Forshaw that the vulnerabilities were not intentionally introduced and that they are the types of flaws that could have been known and exploited for years.
“These are the kind of vulnerabilities that exist in many software on Windows and they are caused by lack of proper parameter validation in kernel mode code,” Idrassi said. “But, for experts of the Windows Kernel vulnerability field, it should be fairly easy to spot especially that in the last couple of years this type of privilege escalation has become very widespread.”