• IT-Karriere:
  • Services:

Missing chapter about off-by-one-overflows

However the report hints that more such flaws exist. Another chapter in the documents mentions, that several such off-by-one-errors were found, but due to a lack of a complete code analysis only examples can be shown. However even those examples are missing in the document - the following chapter only consists of a headline and has no content.

  1. WEINMANN Emergency Medical Technology GmbH + Co. KG, Hamburg
  2. Fresenius Medical Care Deutschland GmbH, St. Wendel

Several times the documents mention a systemic weakness of Truecrypt on Linux if non-root users are allowed to mount Truecrypt volumes. This is not officially supported, however one can allow users to execute the so-called Core Service from Truecrypt via sudo.

This makes it possible for users to mount encrypted disks, however it automatically also allows those users root privilege escalation. The BSI audit mentions several ways how that is possible, in the simplest case a user can mount a Truecrypt volume that contains a file with suid root permission that will open a shell. Golem.de was able to replicate this scenario in a current version of Veracrypt.

Keys and Passwords are often not properly overwritten

Most of the specific weaknesses and proposed improvements are regarding the memory management and the secure wiping of memory areas. In cryptographic software it is common practice to overwrite memory that contained keys, passwords or other critical data after its use. This is done to prevent leaking of memory later due to other software error.

The correct implementation of this wiping is not trivial, as compilers can optimize out such overwriting commands. A talk at last year's 35C3 discusses this problem in detail. The Truecrypt and Veracrypt code uses a macro named burn, but it is not used in all places where this would be sensible.

The BSI audit has an extensive list of functions in the Truecrypt code. It was checked for each function whether it uses key material and if this is overwritten correctly. In many instances the auditors found weaknesses.

Particularly problematic is a C++ class called Memory that has a special function Erase and that does not use the safe macro burn, but a normal call to the memset function. However this error was fixed in newer versions of Truecrypt.

However the BSI audit mentions various other such mistakes, many of whom are still present in Veracrypt's code. In some functions key material is stored in temporary variables, in other places not all possible code paths are properly considered. We have sent patches for some of these problems to the Veracrypt developers.

Uninitialized Array can be used according to C standard

We found one description of a supposed bug that actually isn't one. In a function to calculate hashes with the RIPEMD160 algorithm a global array is in some situations used uninitialized. However that is no problem: Static arrays are always initialized with zeros according to the C standard.

None of the weaknesses mentioned in this report is critical. The encryption is and stays relatively solid and safe. However everyone who uses Veracrypt should only use the latest version and install provided security updates. And people who still use Truecrypt should switch to Veracrypt.

The information from this audit could be used to improve the security of Veracrypt. Many users would profit from that. While Truecrypt and Veracrypt aren't as important as they once were, it seems especially German municipalities often still use them. According to a survey by the privacy commissioner of the federal state Baden-Württemberg 9 percent of municipalities say that they use either Truecrypt or Veracrypt.

Shortly before we published this article the BSI has allowed to publish the Truecrypt documents. They can be downloaded from the Frag den Staat web page.

Update from December 16th 2019, 13:22

Added link to documents that are now publicly available. Dieser Text ist auch auf deutsch verfügbar.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed
 Truecrypt developers suddenly end development and point to security problems
  2. 1
  3. 2
  4. 3

  1. 15,49€
  2. (u. a. Star Wars: Squadrons für 29,99€, Star Wars Jedi: Fallen Order für 29,99€, Star Wars...

danielmain 16. Dez 2019

Was für eine Leistung in den Top 10 von Hacker news zu stehen. Weiterso!

Folgen Sie uns

Samsung Galaxy Note 20 (Ultra) - Hands On

Die neuen Galaxy Note 20 und Galaxy Note 20 Ultra von Samsung kommen wieder mit dem S Pen.

Samsung Galaxy Note 20 (Ultra) - Hands On Video aufrufen
The Secret of Monkey Island: Ich bin ein übelriechender, groggurgelnder Pirat!
The Secret of Monkey Island
"Ich bin ein übelriechender, groggurgelnder Pirat!"

Das wunderbare The Secret of Monkey Island feiert seinen 30. Geburtstag. Golem.de hat einen neuen Durchgang gewagt - und wüst geschimpft.
Von Benedikt Plass-Fleßenkämper

    Energiewende: Wie die Begrünung der Stahlindustrie scheiterte
    Wie die Begrünung der Stahlindustrie scheiterte

    Vor einem Jahrzehnt suchte die europäische Stahlindustrie nach Technologien, um ihren hohen Kohlendioxid-Ausstoß zu reduzieren, doch umgesetzt wurde fast nichts.
    Eine Recherche von Hanno Böck

    1. Wetter Warum die Klimakrise so deprimierend ist

    Yakuza und Dirt 5 angespielt: Xbox Series X mit Rotlicht und Rennstrecke
    Yakuza und Dirt 5 angespielt
    Xbox Series X mit Rotlicht und Rennstrecke

    Abenteuer im Rotlichtviertel von Yakuza und Motorsport in Dirt 5: Golem.de konnte zwei Starttitel der Xbox Series X ausprobieren.
    Von Peter Steinlechner

    1. Next-Gen GUI der PS5 mit höherer Auflösung als Xbox Series X/S
    2. Xbox Series X Zwei Wochen mit Next-Gen auf dem Schreibtisch
    3. Next-Gen PS5 und neue Xbox wollen Spieleklassiker aufhübschen

      •  /