A Quarkslab security audit of open source file and disk encryption package VeraCrypt concluded that a total of eight critical vulnerabilities, three medium flaws and 15 additional low-priority bugs have been identified.
VeraCrypt is an open-source disk encryption security software used by activists, journalists, and users desiring anonymity. The direct successor to the now-defunct TrueCrypt, the encryption software is used worldwide to encrypt single files, folders or full disks and builds on the original project with security enhancements and new, advanced security features.
The audit was performed by French cybersecurity QuarksLab researchers and was funded by the Open Source Technology Improvement Fund (OSTIF). They analyzed VeraCrypt 1.8’s UEFI-compatible bootloader mainly focusing on new features introduced since last year’s TrueCrypt security audit. Part of the VeraCrypt audit was to assure that any vulnerabilities identified in the OCAP audit of TrueCrypt were patched in VeraCrypt. The remainder of the assessment was a look into the VeraCrypt’s existing code and new features, including UEFI support, support for non-Western crypto algorithms, etc.
“VeraCrypt is a project hard to maintain,” researchers said. “Deep knowledge of several operating systems, the Windows kernel, the system boot chain and good concepts in cryptography are required. The improvements made by IDRIX demonstrate the possession of these skills.”
The most notable flaws in the report include:
- Critical bugs in the implementation of GOST 28147-89, a symmetric block cipher with a 64-bit block size. The XTS code has not been adapted for such ciphers, and must be removed completely due to unsafe implementation.
- All compression libraries are considered outdated or “poorly-written,” and must be replaced with modern and more secure zip libraries.
- If the system is encrypted, the boot password in UEFI mode or its length can be received by attackers.
Users are strongly advised to download and update the latest VeraCrypt 1.19, which was released Monday and includes patches for most of the flaws.