VeraCrypt encryption software audited
VeraCrypt's open source known encryption software has been updated to version 1.19. An updated version of the product can be downloaded here . In the new release, significant vulnerabilities were discovered that were revealed as a result of the audit of the source code VeraCrypt, which was carried out by Quarkslab specialists. The specialists discovered 8 critical vulnerabilities, 3 medium-level vulnerabilities and another 15 low-level vulnerabilities.
VeraCrypt is an on-the-fly file encryption software and is a fork from another well-known encryption software called TrueCrypt, which was discontinued in 2014. VeraCrypt is supported by French programmer Mounir Idrassi.
Both the software itself and the part related to the OS bootloader were subjected to correction. The following vulnerabilities have been fixed in version 1.19.
')
- Fully removed encryption setting according to the standard GOST 28147-89.
- Removed support for XZip and XUnzip libraries, instead VeraCrypt uses more secure libzip libraries.
- Fixed a vulnerability in the bootloader (bootloader) that allowed an attacker to calculate the length of the password.
- Fixed a vulnerability in the bootloader code that allowed a user to enter a password entered in the BIOS Data Area memory, which could be used by attackers.
- Fixed a similar vulnerability, which allowed to keep confidential loader data in memory without deleting them properly. Vulnerability can allow attackers to gain access to the user's new password when it changes from the old one.
- Fixed a vulnerability in the bootloader, which is of the type memory-corruption and is present in the XUnzip library code when processing the VeraCrypt Recovery Disk archives. The vulnerability is eliminated by discontinuing XUnzip support and switching to libzip.
- Fixed a vulnerability in the loader, which led to the dereference of the null pointer,
The full version of the audit report can be found here .
be secure.
Quarkslab made a security assessment of VeraCrypt 1.18. Quarkslab engineers between Aug. 16 and Sep. 14, 2016 for a total of 32 man-days of study. A critical vulnerability related to cryptography, has been identified. It has been introduced in version 1.18, and will be fixed in version 1.19.
VeraCrypt is an on-the-fly file encryption software and is a fork from another well-known encryption software called TrueCrypt, which was discontinued in 2014. VeraCrypt is supported by French programmer Mounir Idrassi.
Both the software itself and the part related to the OS bootloader were subjected to correction. The following vulnerabilities have been fixed in version 1.19.
')
- Fully removed encryption setting according to the standard GOST 28147-89.
- Removed support for XZip and XUnzip libraries, instead VeraCrypt uses more secure libzip libraries.
- Fixed a vulnerability in the bootloader (bootloader) that allowed an attacker to calculate the length of the password.
- Fixed a vulnerability in the bootloader code that allowed a user to enter a password entered in the BIOS Data Area memory, which could be used by attackers.
- Fixed a similar vulnerability, which allowed to keep confidential loader data in memory without deleting them properly. Vulnerability can allow attackers to gain access to the user's new password when it changes from the old one.
- Fixed a vulnerability in the bootloader, which is of the type memory-corruption and is present in the XUnzip library code when processing the VeraCrypt Recovery Disk archives. The vulnerability is eliminated by discontinuing XUnzip support and switching to libzip.
- Fixed a vulnerability in the loader, which led to the dereference of the null pointer,
The full version of the audit report can be found here .
be secure.
Source: https://habr.com/ru/post/312990/
All Articles