Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/12/2009
03:09 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Disk Encryption Driver Hole Exposes Encryption Key

Global IP Telecommunications publishes research describing a new attack on disk encryption software

Bradford, Munich, Schffengrund, 12.01.2009, 2009 - Security Hole in Driver Communication of Disk Encryption Software enables interception of encryption key during mount of an encrypted volume

Global IP Telecommunications, a leading manufacturer of Voice-over-IP (VoIP) software telephones, PMC Ciphers, a leading specialist for ultimate ciphers, and CyProtect AG, a leading internet security specialist, have announced today that they've published research describing a new attack on disk encryption software that reveals the entire key when an encrypted volume is being mounted. The attack was named "Mount IOCTL Attack" by the author.

In order to mount a virtual encrypted disk, the user interface application of a disk encryption software passes volume file path information, the selected encryption algorithm as well as the highly secret password, in the clear to a software driver through the DeviceIoControl() function, which is the only function for this purpose in an operating system. A tampered version of the DeviceIoControl() function would easily allow an attacker to get hold of the key used to mount the encrypted volume by a simple comparison for equality of a 32 bit number - the IO Control Code of the mount request.

In the paper, "Attack on mount control code of commercial on-the-fly disk encryption software and efficient countermeasure", the companies used the publically available source code of a popular disk encryption software for their peer review. A hypothetically tampered version of the DeviceIOControl() function could easily wait for a specific IO Control Code (e.g. 466944d = 00072000h) and each time this IOCTL is passed to the function, log the entire set of parameters that is passed along with the function call. These parameters include the entire key required to access the encrypted volume to be mounted IN PLAINTEXT.

The companies further disclosed that an SSL-like Diffie-Hellman key exchange between encryption driver and user interface application of a disk encryption software enable for henceforth encrypted communication with the encryption driver, resulting in complete immunity from Mount IOCTL Attack.

This countermeasure is already built into the new version of the disk encryption software "TurboCrypt". Existing users of earlier "TurboCrypt" or "Global Safe Disk" versions are advised to migrate to the new "TurboCrypt" as soon as possible. The new software is already available online for Windows XP, Vista 32 and Vista 64 operating systems at the following URL:

http://downloads.turbocrypt.com/... or http://www.cyprotect.com/...

The paper, "Attack on mount control code of commercial on-the-fly disk encryption software and efficient countermeasure" is accessible through the following URL:

http://www.turbocrypt.com/...

"ber Global IP Telecommunications Ltd.

Global IP Telecommunications has become well known since 2004 as Prefered Development Partner of Counterpath Solutions Inc. (formerly Xten). Global IP Telecommunications is now a leading manufacturer of softphone applications for Voice-over-IP. GlobalIPTel products are being sold worldwide through leading PC-, USB- and headset manufacturers, internet service providers, telcos as well as international sales partners (www.globaliptel.com).

About PMC Ciphers, Inc. PMC Ciphers is a marketing company for the Polymorphic Cipher invented by co-founder C.B. Roellgen in 1999. The company develops and markets ultra-secure ciphers based on the unique technology of the Polymorphic Cipher. All ciphers of the company are created in Germany (www.pmc-ciphers.com).

About CyProtect AG: CyProtect AG was founded in the year 2000 and is focused on security, respective internet security. We are protecting data and applications against external attacks and are offering encryption for sensitive information saved on storage systems and during network and transfer connections. Furthermore we secure important data against unauthorized access with powerful hardware and software solutions (www.cyprotect.com).

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I feel safe, but I can't understand a word he's saying."
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10374
PUBLISHED: 2020-03-30
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
CVE-2020-11104
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...
CVE-2020-11105
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if an std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same add...
CVE-2020-11106
PUBLISHED: 2020-03-30
An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a pa...
CVE-2020-5284
PUBLISHED: 2020-03-30
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your applicati...