Missing chapter about off-by-one-overflows

However the report hints that more such flaws exist. Another chapter in the documents mentions, that several such off-by-one-errors were found, but due to a lack of a complete code analysis only examples can be shown. However even those examples are missing in the document - the following chapter only consists of a headline and has no content.

Stellenmarkt
  1. Sachbearbeiterin / Sachbearbeiter (m/w/d) Datenschutz und Informationssicherheit
    Verwaltungs-Berufsgenossenschaft VBG gesetzliche Unfallversicherung, Hamburg
  2. Senior Systemingenieur*in Air SIGINT Systems (w/m/d)
    Hensoldt, Ulm
Detailsuche

Several times the documents mention a systemic weakness of Truecrypt on Linux if non-root users are allowed to mount Truecrypt volumes. This is not officially supported, however one can allow users to execute the so-called Core Service from Truecrypt via sudo.

This makes it possible for users to mount encrypted disks, however it automatically also allows those users root privilege escalation. The BSI audit mentions several ways how that is possible, in the simplest case a user can mount a Truecrypt volume that contains a file with suid root permission that will open a shell. Golem.de was able to replicate this scenario in a current version of Veracrypt.

Keys and Passwords are often not properly overwritten

Most of the specific weaknesses and proposed improvements are regarding the memory management and the secure wiping of memory areas. In cryptographic software it is common practice to overwrite memory that contained keys, passwords or other critical data after its use. This is done to prevent leaking of memory later due to other software error.

Golem Karrierewelt
  1. IT-Sicherheit für Webentwickler: virtueller Zwei-Tage-Workshop
    07./08.02.2023, Virtuell
  2. Angular für Einsteiger: virtueller Zwei-Tage-Workshop
    16./17.03.2023, Virtuell
Weitere IT-Trainings

The correct implementation of this wiping is not trivial, as compilers can optimize out such overwriting commands. A talk at last year's 35C3 discusses this problem in detail. The Truecrypt and Veracrypt code uses a macro named burn, but it is not used in all places where this would be sensible.

The BSI audit has an extensive list of functions in the Truecrypt code. It was checked for each function whether it uses key material and if this is overwritten correctly. In many instances the auditors found weaknesses.

Particularly problematic is a C++ class called Memory that has a special function Erase and that does not use the safe macro burn, but a normal call to the memset function. However this error was fixed in newer versions of Truecrypt.

However the BSI audit mentions various other such mistakes, many of whom are still present in Veracrypt's code. In some functions key material is stored in temporary variables, in other places not all possible code paths are properly considered. We have sent patches for some of these problems to the Veracrypt developers.

Uninitialized Array can be used according to C standard

We found one description of a supposed bug that actually isn't one. In a function to calculate hashes with the RIPEMD160 algorithm a global array is in some situations used uninitialized. However that is no problem: Static arrays are always initialized with zeros according to the C standard.

None of the weaknesses mentioned in this report is critical. The encryption is and stays relatively solid and safe. However everyone who uses Veracrypt should only use the latest version and install provided security updates. And people who still use Truecrypt should switch to Veracrypt.

The information from this audit could be used to improve the security of Veracrypt. Many users would profit from that. While Truecrypt and Veracrypt aren't as important as they once were, it seems especially German municipalities often still use them. According to a survey by the privacy commissioner of the federal state Baden-Württemberg 9 percent of municipalities say that they use either Truecrypt or Veracrypt.

Shortly before we published this article the BSI has allowed to publish the Truecrypt documents. They can be downloaded from the Frag den Staat web page.

Update from December 16th 2019, 13:22

Added link to documents that are now publicly available. Dieser Text ist auch auf deutsch verfügbar.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed
 Truecrypt developers suddenly end development and point to security problems
  1.  
  2. 1
  3. 2
  4. 3


Aktuell auf der Startseite von Golem.de
Mac Mini mit M2 Pro im Test
Der perfekte Einstieg in die Mac-Welt

In vielen Anwendungsszenarien kann der M2 Pro im Mac Mini mit dem M2 Max mithalten. Der Umstieg auf MacOS fällt so leicht wie nie zuvor.
Ein Test von Oliver Nickel

Mac Mini mit M2 Pro im Test: Der perfekte Einstieg in die Mac-Welt
Artikel
  1. Morgan Stanley: Bank reicht Whatsapp-Millionen-Strafe an Angestellte weiter
    Morgan Stanley
    Bank reicht Whatsapp-Millionen-Strafe an Angestellte weiter

    Wegen der Nutzung von Whatsapp hatten Finanzregulatoren 2022 mehrere Banken mit hohen Strafen belegt.

  2. Galaxus: Onlinehändler macht Retouren- und Garantiequoten öffentlich
    Galaxus
    Onlinehändler macht Retouren- und Garantiequoten öffentlich

    Je mehr Informationen zu einem Produkt bekannt sind, desto besser lässt sich eine Kaufentscheidung fällen. Hierbei will Galaxus mit exklusiven Daten helfen.

  3. Nahverkehr: Bahn will On-Demand-Angebot auf dem Land ausbauen
    Nahverkehr
    Bahn will On-Demand-Angebot auf dem Land ausbauen

    Auf dem Land will die Bahn bis 2030 mehr Fahrgäste durch On-Demand-Shuttle transportieren. Auch autonome Busse sollen Teil des Angebotes werden.

Du willst dich mit Golem.de beruflich verändern oder weiterbilden?
Zum Stellenmarkt
Zur Akademie
Zum Coaching
  • Schnäppchen, Rabatte und Top-Angebote
    Die besten Deals des Tages
    Daily Deals • XFX RX 7900 XTX 1.199€ • WSV bei MM • Razer Viper V2 Pro 119,99€ • MindStar: XFX RX 6950 XT 799€, MSI RTX 4090 1.889€ • Epos Sennheiser Game One -55% • RAM/Graka-Preisrutsch • Gaming-Stuhl Razer/HP bis -41% • 3D-Drucker 249€ • Kingston SSD 1TB 49€ • Asus RTX 4080 1.399€[Werbung]
    •  /