Menu
Critical flaws found in open-source encryption software VeraCrypt

Critical flaws found in open-source encryption software VeraCrypt

Many issues were found in the new UEFI bootloader and have been patched in VeraCrypt 1.19

A new security audit has found critical vulnerabilities in VeraCrypt, an open-source, full-disk encryption program that's the direct successor of the widely popular, but now defunct, TrueCrypt.

Users are encouraged to upgrade to VeraCrypt 1.19, which was released Monday and includes patches for most of the flaws. Some issues remain unpatched because fixing them requires complex changes to the code and in some cases would break backward compatibility with TrueCrypt.

However, the impact of most of those issues can be avoided by following the safe practices mentioned in the VeraCrypt user documentation when setting up encrypted containers and using the software.

The audit, which was performed by French cybersecurity firm QuarksLab and was sponsored through the Open Source Technology Improvement Fund (OSTIF), found eight critical vulnerabilities, three medium risk vulnerabilities and 15 low-impact flaws. Some of them are unpatched issues previously found by an older TrueCrypt audit.

Many flaws were located and fixed in VeraCrypt's bootloader for computers and OSes that use the new UEFI (Unified Extensible Firmware Interface) -- the modern BIOS. TrueCrypt, which serves as the base for VeraCrypt, never had support for UEFI, forcing users to disable UEFI boot if they wanted to encrypt the system partition.

VeraCrypt's UEFI-compatible bootloader -- a first for open-source encryption programs on Windows -- was released in August and is the biggest addition to the TrueCrypt code base made by VeraCrypt's lead developer, Mounir Idrassi. This makes it much less mature than the rest of the code, so it's understandable that it would have more flaws in it.

Another change made following the audit was the removal of the Russian GOST 28147-89 encryption standard, whose implementation the auditors deemed unsafe. Users will still be able to decrypt and access existing containers encrypted with this algorithm, but won't be able to create new ones.

The XZip and XUnzip libraries which were used in VeraCrypt for various operations also had flaws, so the developer decided to replace them with the more modern and secure libzip library.

The auditors thanked Mounir Idrassi and his company Idrix for working with them on resolving the identified problems and for developing what they called a "crucial open-source software" program.

While VeraCrypt is available for multiple operating systems, it is on Windows where it has the biggest impact, because there aren't many free full-disk encryption options on Windows that also allow encrypting the OS drive.

Microsoft's BitLocker disk encryption technology is only included in the professional and enterprise versions of Windows and most other solutions are commercial. This is what made TrueCrypt so popular in the first place and why its sudden demise left a big void.

Idrassi clarified on Twitter Tuesday that all issues specific to VeraCrypt and one inherited from TrueCrypt were fixed in VeraCrypt 1.19. The remaining issues that haven't yet been fixed are all inherited from TrueCrypt.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments