Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201404171859.s3HIxi2p000049@linus.mitre.org>
Date: Thu, 17 Apr 2014 14:59:44 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: TrueCrypt audit report

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This report points out a number of issues that are certainly
worthwhile to fix (or, in some cases, "improve" rather than "fix")
within a product of this type. Not all of these issues would be
considered vulnerabilities in the classic sense. As far as we can tell,
the scope of the threat model or models was not explicitly defined
within the report document, and the report instead is described as
covering "issues that could lead to information disclosure, elevation
of privilege, or similar concerns." It's unclear why findings such as
the ability of an administrator to cause a BSOD are considered
"similar." Also, the report identifies some issues that are apparently
outside the intended security properties as described at:

  http://www.truecrypt.org/docs/security-model
  http://www.truecrypt.org/docs/physical-security
  http://www.truecrypt.org/docs/non-admin-users
  
In other cases, the report identifies behavior that is wrong, but does
not clarify whether there is a security impact or only a usability
impact. In addition, we are unaware of whether a vendor response
exists or is anticipated.

These are the three issues that, based on the information directly
contained in the report, would fall within the scope of CVE regardless
of the vendor response:

> TC_IOCTL_OPEN_TEST and TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG: an attacker
> can
> 
>   -- Deduce the presence of files they do not have access to
>   -- Deduce if said files are smaller than TC_MAX_VOLUME_SECTOR_SIZE
>   -- Deduce if said files start with the string "TrueCrypt" or one of four magic markers

Use CVE-2014-2884.


> integer overflow in the MainThreadProc function in
> EncryptedIoQueue.c ... could result in information disclosure.
> 
> integer overflow in the ProcessVolumeDeviceControlIrp function in
> Ntdriver.c ... can result in Denial of Service (starve the kernel of
> memory)

Use CVE-2014-2885.


(i.e., three distinct issues but two CVE IDs)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTUCRUAAoJEKllVAevmvmssIgIALDlarnSEWz7t+TCc/sqj6bB
v13XUmfCEP2s++SI7WjsJQEq+NDMXFNbNrydSiCtiIA3qnx+iJImwsYXM2MwWFX6
1B7/JOcJW8ncU8/X3ikJ5vETtSViQO6FLjh+yjYMgCK/okQ4AXDero2K/VAfqD3M
/Ns1ZDW3Jt60wzM3tjIxJcckMVLjd7VibYT/otH5tupRM8ytFzgvKtYQ3E/6X/IR
el0bEaSFysOY7s5QzZfQ68Vbwr+4Vx2WpcrclsAviyGiQs+klotRYRQRdYQfLOSW
9WO6T1DLtVG/8VaaHcLzV5EWXfCH88LotLximAtKONTwHjX94OUe4b/S4p9npaE=
=INWV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.