Critical vulnerabilities discovered in TrueCrypt cryptograph

Google Project Zero team member James Forshaw discovered two critical vulnerabilities in the TrueCrypt driver that the program installs on Windows systems. Security errors CVE-2015-7358 , CVE-2015-7359 allow attackers to escalate their privileges, gaining full administrator rights and access to all user data even if they are encrypted.

Vulnerabilities went unnoticed during an independent audit of the application code. The test consisted of two stages and was carried out by engineers at iSEC Partners after the TrueCrypt developers unsupportedly announced the closure of the project, saying that its code may contain vulnerabilities.
')
Forshaw believes that the vulnerabilities he found are not backdoors. The researcher noted that apparently the audit participants simply did not notice them.



The auditors focused precisely on searching for “bookmarks” in the code - suspicions of their presence appeared after the strange statements of the original TrueCrypt developers, which remained anonymous.

The researcher has not yet provided detailed data, stating that he wants to give the forks authors a week to fix bugs. Since the tool does not develop more officially, security holes will not be fixed directly in the code of the original application. However, bugs were fixed in the open source VeraCrypt program, which is based on TrueCrypt.

Version VeraCrypt 1.15, released in late September, contains patches for vulnerabilities found by Forshaw.

According to Artem Shishkin, an expert at Positive Research Research Center, it is very easy to exploit the vulnerabilities found by Forshaw. “The built-in static verifier doesn’t complain about this, but the one who“ fumbles ”in safety will first of all check this.” The expert is not sure that the vulnerabilities were "bookmarks": "It is doubtful, most likely a hack-work that has remained since the days of Windows XP."

Dmitry Sklyarov, head of application analysis at Positive Technologies, suggested that the detected vulnerabilities could indeed have been left by the TrueCrypt developers intentionally.

“The error allows you to make more likely not Privilege Escalation, but to get access to the TrueCrypt volume, mounted under another user, without administrator rights. That is, the vulnerability does not allow control of the machine, but the provision of confidentiality is clearly lame.

In the light of these facts, I, as a professional paranoid, state that these vulnerabilities may well be planned bookmarks. And the fact that they are so similar to “razdolbaystvo” makes them good bookmarks, because specially created vulnerabilities are quite difficult to keep invisible. ”

According to Sklyarov, during a quality security audit, such errors should have been detected:

“In such cases, they are always looking for specific types of vulnerabilities - from the description it seems that in the conducted audit, we looked for backdoors and algorithmic bookmarks. So, a good audit of such holes must be identified. "