VeraCrypt 1.19 replaced the vulnerable libraries with libzip, a modern and more secure zip library. "We strongly recommend to either rewrite this library and use an up-to-date version of zlib, or preferably, use another component to handle Zip files," the auditors said. VeraCrypt was using XZip and XUnzip, which had known vulnerabilities and were out-of-date.
![veracrypt 1.18 veracrypt 1.18](https://pbs.twimg.com/media/CukWYU9WYAIxQdk.jpg)
The audit found that all the compression functions had issues. VeraCrypt relied on compression functions to decompress the bootloader when the hard drive is encrypted, to create and check the recovery disks if the system is encrypted and uses UEFI, and during installation.
VERACRYPT 1.18 PASSWORD
While the information leak itself is not critical, as the system needs to be booted and privileged access is required to read BIOS memory, the vulnerability needed to be fixed because an attacker knowing the length of the password would hasten the time needed for brute-force attacks, the audit said. VeraCrypt is the fork of that now-abandoned encryption tool, and is backwards-compatible.įour problems in the bootloader - keystrokes not being erased after authentication, sensitive data not correctly erased, memory corruption, and null/bad pointer references - were found in the audit and fixed in version 1.19.Ī low-severity boot password flaw, where the password length could be determined, was also addressed. The audit focused on new security features that were introduced into VeraCrypt after the April 2015 security audit of TrueCrypt.
![veracrypt 1.18 veracrypt 1.18](https://cdn2.nextinpact.com/images/bd/wide-linked-media/13097.jpg)
OSTIF hired Quarkslab senior security researcher Jean-Baptiste Bédrune and senior cryptographer Marion Videau to check the VeraCrypt codebase, focusing on version 1.18, and the DCS EFI Bootloader. Zimmer is also a partner with virtual private network service provider VikingVPN. "As long as you are following the documentation for known issues and using it as advised, I believe is one of the best FDE systems out there," said Derek Zimmer, OSTIF CEO and president, in an Ask-Me-Anything Q&A on Reddit.
VERACRYPT 1.18 HOW TO
| Discover how to secure your systems with InfoWorld's Security newsletter.
![veracrypt 1.18 veracrypt 1.18](https://www.pickysysadmin.ca/wp-content/uploads/2016/09/veracryptBenchmark-300x258.png)
Some vulnerabilities were not addressed in this version, due to the "high complexity for the proposed fixes," but workarounds for those exist. OSTIF said VeraCrypt 1.9 is safe because most of the the flaws have been addressed. The team behind the popular tool addressed the audit's findings in VeraCrypt 1.19. Security researchers have completed the Open Source Technology Improvement Fund-backed audit of encryption platform VeraCrypt and found eight critical, three medium, and 15 low-severity vulnerabilities.