An audit of open source file and disk encryption package VeraCrypt turned up a number of critical vulnerabilities that have been patched in the month since the assessment was wrapped up.
The audit, which began Aug. 16, was funded by the Open Source Technology Improvement Fund (OSTIF) and executed by two researchers at Quarkslab.
The examination was carried out against VeraCrypt 1.18; VeraCrypt is a fork of TrueCrypt, the once-popular and de facto standard for free FDE, which was abandoned in 2014 under mysterious circumstances as the project’s maintainers said the code was no longer safe to use. TrueCrypt was soon thereafter audited by the Open Crypto Audit Project and a number of vulnerabilities were uncovered, but no backdoors as was feared in the aftermath of the initial Snowden leaks.
Part of the VeraCrypt audit was to assure that any vulnerabilities identified in the OCAP audit of TrueCrypt were patched in VeraCrypt. The remainder of the assessment was a look into the VeraCrypt’s existing code and new features, including UEFI support, support for non-Western crypto algorithms, and more.
The audit confirmed that all of the vulnerabilities found in the OCAP audit have been fixed in VeraCrypt except for one issue labeled as “minor.” This includes a pair of privilege escalation issues disclosed by Google Project Zero researcher James Forshaw.
Forshaw disclosed the bugs, both rated critical, after the conclusion of the OCAP audit; one of the vulnerabilities found in the TrueCrypt driver was more severe. VeraCrypt developer Mounir Idrassi told Threatpost a year ago that the driver does not properly validate the drive letter symbolic link used to mount volumes. An attacker can gain full administrative privileges by abusing this flaw, Idrassi said.
Quarkslab said in a blog post announcing the results that vulnerabilities requiring substantial code work or re-architecting have also not been fixed.
“These include the AES implementation, which is still susceptible to cache-timing attacks, and the issues in TC_IOCTL_OPEN_TEST that need to change the application behavior,” Quarkslab said, adding also that vulnerabilities leading to TrueCrypt incompatibility related to crypto mechanisms have also not yet been addressed. Those include an assessment that keyfile mixing in VeraCrypt is not cryptographically sound, and the discovery of unauthenticated ciphertext in volume headers that could lead to attackers forging them with relatively small queries.
As for new issues, three rang out as the most crucial, Quarkslab said.
VeraCrypt makes use of the GOST 28147-89 symmetric 64-bit block cipher, a weaker cipher than others used in the product.
According to Derek Zimmer, OSTIF president, GOST was added in VeraCrypt 1.17; the algorithm is a Soviet developed alternative to DES.
“The implementation in VeraCrypt was designed to strengthen the algorithm to a usable state for modern crypto, but fell short,” Zimmer said in a Reddit AMA yesterday.
GOST 28147-89 is expected to be removed in version 1.19, Quarkslab said.
“The XTS code has not been adapted for such ciphers, so VeraCrypt emulates a 128-bit block cipher by encrypting two 64-bit blocks in CBC mode with a zero IV, which in itself raises several issues,” Quarkslab said. “Furthermore, to reach the same level of security as its 128-bit counterpart, the amount of data to be processed should be no more than 512 bytes which is too small to be considered for a data at rest encryption system.”
The audit also concluded that VeraCrypt’s compression libraries are either outdated or poorly written, and must be replaced, a problem that could be leveraged for code execution. The results cite VeraCrypt’s use of older versions of zlib as an issue and said they will be replaced or rewritten in 1.19.
Finally, the audit revealed that if the system is encrypted, an attacker could be able to retrieve the boot password in UEFI mode, or its length in legacy mode.
“I would recommend version 1.19 containing the fixes, and be careful to read the documentation,” Zimmer said. “As long as you are following the documentation for known issues and using it as advised, I believe it is one of the best FDE systems out there.”