Critical VeraCrypt flaws that were recently uncovered by cybersecurity firm QuarksLab have now been patched in version 1.19 of the popular full-disk encryption software. Users are being urged to upgrade to the latest version of the software as soon as possible now that details of the vulnerabilities have been disclosed publicly.
VeraCrypt is the successor to TrueCrypt, which was a popular open source free file encryption program used by many organizations until the program was abandoned in 2014 when it was deemed not to be safe to use.
QuarksLab conducted an audit, which was funded by the Open Source Technology Improvement Fund (OSTIF), in August this year.
A previous Open Crypto Audit Project audit of TrueCrypt revealed numerous vulnerabilities in the program. The purpose of the latest audit was to ensure that those vulnerabilities had now been addressed. The audit also looked at the DCS EFI Bootloader and some of the new features in VeraCrypt to assess for new vulnerabilities.
The latest audit of VeraCrypt 1.18 revealed eight critical security flaws, along with three vulnerabilities deemed to be medium risk, and fifteen low-impact vulnerabilities.
Four problems were identified in the Bootloader which have been fixed in version 1.19. In version 1.18, keystrokes were not being properly erased after authentication, there was memory corruption, null/bad pointer references, and sensitive data was not being erased correctly.
Other issued identified include “the availability of a 64-bit symmetric block cipher with a non-secure 64-bit block size called GOST; outdated and poorly written compression libraries; and the fact that UEFI boot passwords can be retrieved by an attacker.”
Not all the critical VeraCrypt flaws uncovered by the audit have been addressed in the latest version of the software due to the difficult in applying fixes, although workarounds for those vulnerabilities do exist. However, the vast majority of the vulnerabilities have been addressed in the latest version of the program. Also, if VeraCrypt is used as advised in the documentation supplied with VeraCrypt 1.19, the program should be secure.
According to OSTIF CEO and president, Derek Zimmer, “As long as you are following the documentation for known issues and using it as advised, I believe [VeraCrypt 1.9] is one of the best FDE systems out there.”