Missing chapter about off-by-one-overflows

However the report hints that more such flaws exist. Another chapter in the documents mentions, that several such off-by-one-errors were found, but due to a lack of a complete code analysis only examples can be shown. However even those examples are missing in the document - the following chapter only consists of a headline and has no content.

  1. Product Designer UX/UI (m/f/d)
    ToolTime GmbH, Berlin
  2. IT-Generalist (m/w/d)
    SaluVet GmbH, Bad Waldsee

Several times the documents mention a systemic weakness of Truecrypt on Linux if non-root users are allowed to mount Truecrypt volumes. This is not officially supported, however one can allow users to execute the so-called Core Service from Truecrypt via sudo.

This makes it possible for users to mount encrypted disks, however it automatically also allows those users root privilege escalation. The BSI audit mentions several ways how that is possible, in the simplest case a user can mount a Truecrypt volume that contains a file with suid root permission that will open a shell. Golem.de was able to replicate this scenario in a current version of Veracrypt.

Keys and Passwords are often not properly overwritten

Most of the specific weaknesses and proposed improvements are regarding the memory management and the secure wiping of memory areas. In cryptographic software it is common practice to overwrite memory that contained keys, passwords or other critical data after its use. This is done to prevent leaking of memory later due to other software error.

Golem Akademie
  1. Kotlin für Java-Entwickler: virtueller Zwei-Tage-Workshop
    03.–04. Februar 2022, Virtuell
  2. Unity Basiswissen: virtueller Drei-Tage-Workshop
    7.–9. Februar 2022, Virtuell
Weitere IT-Trainings

The correct implementation of this wiping is not trivial, as compilers can optimize out such overwriting commands. A talk at last year's 35C3 discusses this problem in detail. The Truecrypt and Veracrypt code uses a macro named burn, but it is not used in all places where this would be sensible.

The BSI audit has an extensive list of functions in the Truecrypt code. It was checked for each function whether it uses key material and if this is overwritten correctly. In many instances the auditors found weaknesses.

Particularly problematic is a C++ class called Memory that has a special function Erase and that does not use the safe macro burn, but a normal call to the memset function. However this error was fixed in newer versions of Truecrypt.

However the BSI audit mentions various other such mistakes, many of whom are still present in Veracrypt's code. In some functions key material is stored in temporary variables, in other places not all possible code paths are properly considered. We have sent patches for some of these problems to the Veracrypt developers.

Uninitialized Array can be used according to C standard

We found one description of a supposed bug that actually isn't one. In a function to calculate hashes with the RIPEMD160 algorithm a global array is in some situations used uninitialized. However that is no problem: Static arrays are always initialized with zeros according to the C standard.

None of the weaknesses mentioned in this report is critical. The encryption is and stays relatively solid and safe. However everyone who uses Veracrypt should only use the latest version and install provided security updates. And people who still use Truecrypt should switch to Veracrypt.

The information from this audit could be used to improve the security of Veracrypt. Many users would profit from that. While Truecrypt and Veracrypt aren't as important as they once were, it seems especially German municipalities often still use them. According to a survey by the privacy commissioner of the federal state Baden-Württemberg 9 percent of municipalities say that they use either Truecrypt or Veracrypt.

Shortly before we published this article the BSI has allowed to publish the Truecrypt documents. They can be downloaded from the Frag den Staat web page.

Update from December 16th 2019, 13:22

Added link to documents that are now publicly available. Dieser Text ist auch auf deutsch verfügbar.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed
 Truecrypt developers suddenly end development and point to security problems
  2. 1
  3. 2
  4. 3

Aktuell auf der Startseite von Golem.de
Xbox Cloud Gaming
Wenn ich groß bin, möchte ich gerne Netflix werden

Call of Duty, Fallout oder Halo: Neue Spiele bequem am Business-Laptop via Stream zocken, klingt zu gut, um wahr zu sein. Ist auch nicht wahr.
Ein Erfahrungsbericht von Benjamin Sterbenz

Xbox Cloud Gaming: Wenn ich groß bin, möchte ich gerne Netflix werden
  1. Lego Star Wars UCS AT-AT aufgebaut: Das ist kein Mond, das ist ein Lego-Modell
    Lego Star Wars UCS AT-AT aufgebaut
    "Das ist kein Mond, das ist ein Lego-Modell"

    Ganz wie der Imperator es wünscht: Der Lego UCS AT-AT ist riesig und imposant - und eines der besten Star-Wars-Modelle aus Klemmbausteinen.
    Ein Praxistest von Oliver Nickel

  2. Kryptowährung im Fall: Bitcoin legt rasante Talfahrt hin
    Kryptowährung im Fall
    Bitcoin legt rasante Talfahrt hin

    Am Samstag setzte sich der Absturz des Bitcoin fort. Ein Bitcoin ist nur noch 34.200 US-Dollar wert. Auch andere Kryptowährungen machen Verluste.

  3. Andromeda: Dieses Microsoft-Smartphone-Betriebssystem erschien nie
    Dieses Microsoft-Smartphone-Betriebssystem erschien nie

    Erstmals ist ein Blick auf Andromeda möglich - das Smartphone-Betriebssystem, das Microsoft bereits vor einigen Jahren eingestellt hat.

Du willst dich mit Golem.de beruflich verändern oder weiterbilden?
Zum Stellenmarkt
Zur Akademie
Zum Coaching
  • Schnäppchen, Rabatte und Top-Angebote
    Die besten Deals des Tages
    Daily Deals • MediaMarkt & Saturn: Heute alle Produkte versandkostenfrei • Corsair Vengeance RGB RT 16-GB-Kit DDR4-4000 114,90€ • Alternate (u.a. DeepCool AS500 Plus 61,89€) • Acer XV282K UHD/144 Hz 724,61€ • MindStar (u.a. be quiet! Pure Power 11 CM 600W 59€) • Sony-TVs heute im Angebot [Werbung]
    •  /