VeraCrypt - darmowy program szyfrujący dane

[ichito]

W nawiązaniu do

[Aby zobaczyć linki, zarejestruj się tutaj]

- są jego wyniki i równocześnie nowa wersja, która jest na audyt odpowiedzią.
Lista zmian wskazuje na sporo poprawek, bo i podatności trochę znaleziono
Lista zmian

1.19 (October 17th, 2016):

• All OSs:
  • Fix issues raised by Quarkslab audit.
    • Remove GOST89 encryption algorithm.
      
    • Make PBKDF2 and HMAC code clearer and easier to analyze.
      
    • Add test vectors for Kuznyechik.
      
    • Update documentation to warn about risks of using command line switch ”tokenpin”.
      
  • Use SSE2 optimized Serpent algorithm implementation from Botan project (2.5 times faster on 64-bit platforms).
    
• Windows:
  • Fix keyboard issues in EFI Boot Loader.
    
  • Fix crash on 32-bit machines when creating a volume that uses Streebog as PRF.
    
  • Fix false positive detection of Evil-Maid attacks in some cases (e.g. hidden OS creation)
    
  • Fix failure to access EFS data on VeraCrypt volumes under Windows 10.
    
  • Fix wrong password error in the process of copying hidden OS.
    
  • Fix issues raised by Quarkslab audit:
    • Fix leak of password length in MBR bootloader inherited from TrueCrypt.
      
    • EFI bootloader: Fix various leaks and erase keyboard buffer after password is typed.
      
    • Use libzip library for handling zip Rescue Disk file instead of vulnerable XUnzip library.
      
  • Support EFI system encryption for 32-bit Windows.
    
  • Perform shutdown instead of reboot during Pre-Test of EFI system encryption to detect incompatible motherboards.
    
  • Minor GUI and translations fixes.
    
• MacOSX:
  • Remove dependency to MacFUSE compatibility layer in OSXFuse.
    

[Aby zobaczyć linki, zarejestruj się tutaj]

Pobieranie nowej wersji

[Aby zobaczyć linki, zarejestruj się tutaj]

Podsumowanie adytu

VeraCrypt 1.18 and its bootloaders were evaluated. This release included a number of new features including non-western developed encryption options, a boot loader that supports UEFI (modern BIOSes), and more.

QuarksLab found:
8 Critical Vulnerabilities
3 Medium Vulnerabilities
15 Low or Informational Vulnerabilities / Concerns

This public disclosure of these vulnerabilities coincides with the release of VeraCrypt 1.19 which fixes the vast majority of these high priority concerns. Some of these issues have not been fixed due to high complexity for the proposed fixes, but workarounds have been presented in the documentation for VeraCrypt.
The Fixes:

Because of this audit, VeraCrypt has issued a number of fixes to both the application and the bootloader in 1.19.

The fixes include:
Removal of the GOST 28147-89 encryption option entirely. The implementation was unsafe. Functionality for decryption of volumes that used this cipher is still in place, but new volumes cannot be created using this cipher.
Removal of XZip and XUnzip. These were replaced with modern and more secure zip libraries (libzip).
Fixes implemented for the vulnerability described in section 5.1 (password length can be determined in classic bootloader).
Fixes implemented for the vulnerability described in section 7.1 for the new bootloader. (keystrokes not erased after authentication)
Fixes implemented for the vulnerability described in section 7.2 for the new bootloader. (sensitive data not correctly erased)
Fixes implemented for the vulnerability described in section 7.3 for the new bootloader. (memory corruption)
Fixes implemented for the vulnerability described in section 7.4 for the new bootloader. (null pointer, dead code, inconsistent data reads by ConfigRead, bad pointer in EFIGetHandles, null pointer dereference in the graphic library.)
Updates to user documentation for other vulnerabilities that can be closed by user practices.

[Aby zobaczyć linki, zarejestruj się tutaj]

Oficjalny komunikat Quarkslab

[Aby zobaczyć linki, zarejestruj się tutaj]