vulnerabilities

Topics: Technical Issues
Oct 18, 2015 at 1:32 AM
Are the vulnerabilities CVE-2015-7358 and CVE-2015-7359 only affecting encrypted boot disks in Windows, or do they also endanger encrypted file containers (e.g., on UWB sticks)? If the latter is true, are there any additional measures that need to be taken (e.g., re-encrypting with the new version)?

thank you
Oct 18, 2015 at 2:03 AM
Edited Oct 18, 2015 at 2:10 AM
The two vulnerabilities are exploits of the TrueCrypt and VeraCrypt respective driver. No impact to the hash and encryption algorithms.

Upgrade to 1.16 version to prevent the exploits and deinstall TrueCrypt software.

Mounir provided his explanations in the article for CVE-2015-7358 (critical) and CVE-2015-7359.

https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-flaws/114833/
Oct 18, 2015 at 6:38 AM
Enigma2Illusion, I also have the same question as the OP. I did read the explanation of Mounir as well as other sources, however I do not understand whether the vulnerability only applies when the driver handles system encryption (ie boot disks) or in any other form of encryption (containers, partitions)?
In other words, if i am running TC or pre VC 1.16 and I am NOT using system encryption, am i still vulnerable to these flaws?
Cheers
Oct 18, 2015 at 2:06 PM
Hello Alex,
.
In other words, if i am running TC or pre VC 1.16 and I am NOT using system encryption, am i still vulnerable to these flaws?
.
Yes and it does not matter what type of encryption volumes you are using on your system. Only that the driver is available on the system.

The flaw is using malware code calling the TrueCrypt or VeraCrypt driver to perform a mount volume operation. But instead of actually mounting a fake volume, the malware can deliver its payload.

Using a new PC with no prior TrueCrypt or pre-1,.15 VeraCrypt installations, merely installing either software pre-1.15 VeraCrypt will allow the malware to perform whatever tasks that it has been designed by the perpetrator by simply calling either the TrueCrypt or VeraCrypt driver.

Currently, 1.16 version resolves these vulnerability issues and removes the side effects discovered by the user community in the 1.15 version.

Kind Regards.
Oct 18, 2015 at 3:58 PM
Thanks Enigma2Illusion!
One more thing, do you want to say that If the victim has TC (or VC <1.16) installed and NOT started at all.... is he still vulnerable?
Thanks
Oct 18, 2015 at 5:23 PM
One more thing, do you want to say that If the victim has TC (or VC <1.16) installed and NOT started at all.... is he still vulnerable?
Correct.
Oct 18, 2015 at 5:45 PM
Enigma2Illusion wrote:
One more thing, do you want to say that If the victim has TC (or VC <1.16) installed and NOT started at all.... is he still vulnerable?
Correct.
Thank you..... :)
and really the last one: if uninstalling vc 1.13, do i need to manually remove some entries in the registry or some temp files? or just uninstall 113 and install 116?
Oct 18, 2015 at 7:43 PM
It would be easier to upgrade VeraCrypt from 1.13 to 1.16 versus deinstalling 1.13 and then installing 1.16 version.

You will need to convert your TrueCrypt volumes to VeraCrypt volumes and deinstall TrueCrypt to avoid the two vulnerabilities.

You are welcome. :-)
Oct 18, 2015 at 10:32 PM
Thanks for the detailed explanations. One follow-up: does that mean somebody who gets hold of a copy of any VC file container (even one created with VC 1.16) could put that on a PC that runs VC pre-1.13, and use the vulnerability of that old program to get the payload of the file container? If yes, what would be the way to protect against that?
Oct 18, 2015 at 10:54 PM
Hello,
  1. Any PC/server running TrueCrypt or VeraCrypt pre-1.15 version is open to having the software driver's exploited.
  2. The exploit of CVE-2015-7358 vulnerability can compromise your system. Not just TC and VC volumes that are mounted.
  3. All PCs/servers must convert to VeraCrypt version 1.16 or higher (when newer versions are released) and deinstall TrueCrypt to avoid the two vulnerabilities.
Kind Regards.
Oct 18, 2015 at 11:08 PM
Thanks, I will certainly upgrade to VeraCrypt 1.16 today. But my question is the following: assume a snooper keeps (consciously, for malicious purposes) an old version of VeraCrypt or TrueCrypt on his PC. Then he gets hold of a file container created in any version of VC (I understood that it would not matter whether created pre- 1.16 or not). He copies that file container to his PC. Can he now access the payload? And if yes, what would one need to do to protect against this?
Oct 19, 2015 at 12:58 AM
It is clear from this thread that people still do not understand what are the two vulnerabilities and how they impact their system.

CVE-2015-7358
An attacker can leverage a running process to get full administrative privileges.
.
Once someone has the ability to create/use an account with full administrator privileges, they can do anything to your system and install malware remotely.

CVE-2015-7359
Allows an attacker to impersonate another user on the same machine and allow them to dismount a VeraCrypt volume or change how the software is configured.

The only possible attack is on a shared machine (for example a server) where a user can dismount volumes mounted by others and he can also list all mounted volumes and get their properties (file location, partition, algorithms used, size…),” Idrassi said. “This can be used as a preliminary step for a more targeted attack, and it can also be used as a disruptive attack by dismounting volumes used by the system through the compromise of a normal user account.”
.
RETN7LP45 wrote:
He copies that file container to his PC. Can he now access the payload? And if yes, what would one need to do to protect against this?
.
There is no payload to access. The payload is a generic term that can be anything from annoyance to more serious activities. For example, delete certain files, spam email, and other nefarious activities.

Short answer is no as long as the source system is not compromised and you do not mount the volumes on compromised TrueCrypt or older versions of VeraCrypt systems.

Sorry I created more confusion than clarity. :-)