Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/12/2009
03:09 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Disk Encryption Driver Hole Exposes Encryption Key

Global IP Telecommunications publishes research describing a new attack on disk encryption software

Bradford, Munich, Schffengrund, 12.01.2009, 2009 - Security Hole in Driver Communication of Disk Encryption Software enables interception of encryption key during mount of an encrypted volume

Global IP Telecommunications, a leading manufacturer of Voice-over-IP (VoIP) software telephones, PMC Ciphers, a leading specialist for ultimate ciphers, and CyProtect AG, a leading internet security specialist, have announced today that they've published research describing a new attack on disk encryption software that reveals the entire key when an encrypted volume is being mounted. The attack was named "Mount IOCTL Attack" by the author.

In order to mount a virtual encrypted disk, the user interface application of a disk encryption software passes volume file path information, the selected encryption algorithm as well as the highly secret password, in the clear to a software driver through the DeviceIoControl() function, which is the only function for this purpose in an operating system. A tampered version of the DeviceIoControl() function would easily allow an attacker to get hold of the key used to mount the encrypted volume by a simple comparison for equality of a 32 bit number - the IO Control Code of the mount request.

In the paper, "Attack on mount control code of commercial on-the-fly disk encryption software and efficient countermeasure", the companies used the publically available source code of a popular disk encryption software for their peer review. A hypothetically tampered version of the DeviceIOControl() function could easily wait for a specific IO Control Code (e.g. 466944d = 00072000h) and each time this IOCTL is passed to the function, log the entire set of parameters that is passed along with the function call. These parameters include the entire key required to access the encrypted volume to be mounted IN PLAINTEXT.

The companies further disclosed that an SSL-like Diffie-Hellman key exchange between encryption driver and user interface application of a disk encryption software enable for henceforth encrypted communication with the encryption driver, resulting in complete immunity from Mount IOCTL Attack.

This countermeasure is already built into the new version of the disk encryption software "TurboCrypt". Existing users of earlier "TurboCrypt" or "Global Safe Disk" versions are advised to migrate to the new "TurboCrypt" as soon as possible. The new software is already available online for Windows XP, Vista 32 and Vista 64 operating systems at the following URL:

http://downloads.turbocrypt.com/... or http://www.cyprotect.com/...

The paper, "Attack on mount control code of commercial on-the-fly disk encryption software and efficient countermeasure" is accessible through the following URL:

http://www.turbocrypt.com/...

"ber Global IP Telecommunications Ltd.

Global IP Telecommunications has become well known since 2004 as Prefered Development Partner of Counterpath Solutions Inc. (formerly Xten). Global IP Telecommunications is now a leading manufacturer of softphone applications for Voice-over-IP. GlobalIPTel products are being sold worldwide through leading PC-, USB- and headset manufacturers, internet service providers, telcos as well as international sales partners (www.globaliptel.com).

About PMC Ciphers, Inc. PMC Ciphers is a marketing company for the Polymorphic Cipher invented by co-founder C.B. Roellgen in 1999. The company develops and markets ultra-secure ciphers based on the unique technology of the Polymorphic Cipher. All ciphers of the company are created in Germany (www.pmc-ciphers.com).

About CyProtect AG: CyProtect AG was founded in the year 2000 and is focused on security, respective internet security. We are protecting data and applications against external attacks and are offering encryption for sensitive information saved on storage systems and during network and transfer connections. Furthermore we secure important data against unauthorized access with powerful hardware and software solutions (www.cyprotect.com).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27394
PUBLISHED: 2021-04-16
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions <...
CVE-2020-9667
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to to plant custom binaries and execute them with System permissions. Exploitation of this issue requires user interaction.
CVE-2020-9668
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. An unauthenticated attacker could exploit this to elevate privileges in the context of the current user.
CVE-2020-9681
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to rewrite the file of the administrator, which may lead to elevated permissions. Exploitation of this issue requires user interaction.
CVE-2021-26830
PUBLISHED: 2021-04-16
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.