Date: Thu, 17 Apr 2014 14:59:44 -0400 (EDT) From: cve-assign@...re.org To: kseifried@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: TrueCrypt audit report -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This report points out a number of issues that are certainly worthwhile to fix (or, in some cases, "improve" rather than "fix") within a product of this type. Not all of these issues would be considered vulnerabilities in the classic sense. As far as we can tell, the scope of the threat model or models was not explicitly defined within the report document, and the report instead is described as covering "issues that could lead to information disclosure, elevation of privilege, or similar concerns." It's unclear why findings such as the ability of an administrator to cause a BSOD are considered "similar." Also, the report identifies some issues that are apparently outside the intended security properties as described at: http://www.truecrypt.org/docs/security-model http://www.truecrypt.org/docs/physical-security http://www.truecrypt.org/docs/non-admin-users In other cases, the report identifies behavior that is wrong, but does not clarify whether there is a security impact or only a usability impact. In addition, we are unaware of whether a vendor response exists or is anticipated. These are the three issues that, based on the information directly contained in the report, would fall within the scope of CVE regardless of the vendor response: > TC_IOCTL_OPEN_TEST and TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG: an attacker > can > > -- Deduce the presence of files they do not have access to > -- Deduce if said files are smaller than TC_MAX_VOLUME_SECTOR_SIZE > -- Deduce if said files start with the string "TrueCrypt" or one of four magic markers Use CVE-2014-2884. > integer overflow in the MainThreadProc function in > EncryptedIoQueue.c ... could result in information disclosure. > > integer overflow in the ProcessVolumeDeviceControlIrp function in > Ntdriver.c ... can result in Denial of Service (starve the kernel of > memory) Use CVE-2014-2885. (i.e., three distinct issues but two CVE IDs) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTUCRUAAoJEKllVAevmvmssIgIALDlarnSEWz7t+TCc/sqj6bB v13XUmfCEP2s++SI7WjsJQEq+NDMXFNbNrydSiCtiIA3qnx+iJImwsYXM2MwWFX6 1B7/JOcJW8ncU8/X3ikJ5vETtSViQO6FLjh+yjYMgCK/okQ4AXDero2K/VAfqD3M /Ns1ZDW3Jt60wzM3tjIxJcckMVLjd7VibYT/otH5tupRM8ytFzgvKtYQ3E/6X/IR el0bEaSFysOY7s5QzZfQ68Vbwr+4Vx2WpcrclsAviyGiQs+klotRYRQRdYQfLOSW 9WO6T1DLtVG/8VaaHcLzV5EWXfCH88LotLximAtKONTwHjX94OUe4b/S4p9npaE= =INWV -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.