Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5601973A.5080009@idrix.fr>
Date: Tue, 22 Sep 2015 20:00:26 +0200
From: VeraCrypt Team <veracrypt@...ix.fr>
To: oss-security@...ts.openwall.com
Subject: CVE Request - TrueCrypt 7.1a and VeraCrypt 1.14 Local Elevation of
 Privilege


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
 
Hi,

I would like to request two CVE identifiers for the two security issues
described below affecting TrueCrypt 7.1a (latest version) and its fork
VeraCrypt 1.14 (latest version) running on all versions of Windows.

These issues were reported by James Forshaw (Google).

Issue 1: Local Elevation of Privilege on Windows by abusing
              drive letter handling.

Issue 2: Local Elevation of Privilege on Windows caused by incorrect
              Impersonation Token Handling.

Issue 1 is critical.

A fix has already been developed. Version 1.15 of VeraCrypt will be
released soon to address those issues.

For your information, I have sent a similar CVE request to mitre.org.

Regards,
- -- 
Mounir IDRASSI
https://veracrypt.codeplex.com
https://www.idrix.fr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQIcBAEBCgAGBQJWAZc3AAoJEOtVnHxU3dOT9FAQAJF5RtEuWnMVp8qLVKZewJuH
su6zPOuErxyJRKPTcnt2drT4/merlDN7OHYmoCB8d4KShEECM8plb71Zv6tsft28
B8Oi8BUvJxzSeFj+n5rPYTRSidtPeJr3S110gCkTS4mPcOLsqVzDSMurzye0C1QP
U6wxIRQEps+678B9inXANKMrHnE2MBCbjEz+YXHpX9Wn4uFxJFjXGhSG5ixCXwFh
yGCA9tshoCDL2WGdG7uCKRiathWZvLk25tJxH+WnSs/wVcrjBJJEww5yUcVYN+tP
1w1wUg8RK56Ostk5MUCOcjVozKfFnhEdpKSjnfzUiOOq1bQKOhkERUM4KovMQinY
mj6+bgZq2pASqZhiqZjzPOFkz1eIZevcS5onmGV9StSIpnUfeVLpj2gFM0B9dS/1
jjoQeJN6UA3ImFDNlqNcHUxGVrL6PQES+3md8o+EmnsoDluJqqSn+4j/Ik08xKnG
rtHV19GdXo8mXui4uzBSPVlfCSHdXSVMhglJx/ItltWLuj+IuH5qizbCV/h4UJ/+
ryDvK3ZjfLejVTP4AufrVF8iXmizabYLfZs8/gUdXYphbV+S2Br/HOUnj6bbOZpP
Oo1suGw1YiQHgP3OShb2+rvLwBUYgE9f3aLpx1/xqHrGuHhB719waQAjUvYF6SZw
Wtx6mytjT3HfWvHoORjd
=hbTv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.