Audit sees VeraCrypt kill critical password recovery, cipher flaws

Patches slung at 11 bad bugs

Security researchers have found eight critical, three medium, and 15 low -severity vulnerabilities in a one month audit of popular encryption platform VeraCrypt.

The audit is the latest in a series prompted by the shock abandoning of TrueCrypt in May 2014 due to unspecified security concerns claimed by the hitherto trusted platform's mysterious authors.

VeraCrypt arose from the ashes of TrueCrypt and added new security features.

Quarkslab senior security researcher Jean-Baptiste Bédrune and senior cryptographer Marion Videau crawled through the VeraCrypt codebase, focussing on version 1.18 of the platform and the DCS EFI Bootloader 1.18 (UEFI), examining new security features introduced since the April 2015 security audit of TrueCrypt.

They report boot passwords in UEFI mode and code length in legacy mode could be retrieved by attackers. This appears to stem from a failure to properly erase passwords when changed by users.

Further critical errors include the implementation of the GOST 28147-89 symmetric block cipher which the pair say must be abandoned due to implementation errors. All compression libraries were considered outdated or "poorly-written".

Researchers bankrolled by the Open Source Technology Improvement Fund on 1 August funded by DuckDuckGo and VikingVPN detailed their findings in a 42-page report (PDF).

Critical and medium -severity flaws have been fixed in the latest VeraCrypt release version 1.19, along with most low risk vulnerabilities and concerns. Those that remain unfixed were left due to the high complexity of patching, but researchers have also proposed workarounds.

VeraCrypt has since dumped GOST 28147-89 encryption allowing users to decrypt volumes but not create new instances using the cipher.

Boot password flaws were also squashed along with four other bootloader problems. "VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software," the Open Source Technology Improvement Fund says of the audit.

The auditors say the review is useful and beneficial for users, but is too expensive to be conducted for every version of encryption tools. ®

Broader topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022