First of all, there is no such thing as a perfect, bug-free software.
Even the most rigorously tested software, like the ones that operate SCADA Systems, medical devices, and aviation software, have flaws.
Vulnerabilities are an unfortunate reality for every software product, but there is always space for improvements.
Due to the enormous popularity of VeraCrypt, security researchers from the OSTIF (The Open Source Technology Improvement Fund) agreed to audit VeraCrypt independently and hired researchers from QuarksLab in August to lead the audit.
And it seems like VeraCrypt is not exactly flawless either.
Now after one month of the audit, researchers have discovered a number of security issues, including 8 critical, 3 medium, and 15 low-severity vulnerabilities in the popular encryption platform VeraCrypt.
Quarkslab senior security researcher Jean-Baptiste Bédrune and senior cryptographer Marion Videau analyzed the VeraCrypt version 1.18 and the DCS EFI Bootloader 1.18 (UEFI), mainly focusing on new features introduced since last year’s TrueCrypt security audit.
VeraCrypt file encryption software has been derived from the TrueCrypt project, but with enhancements to further secure your data.
“VeraCrypt is a project hard to maintain,” researchers said. “Deep knowledge of several operating systems, the Windows kernel, the system boot chain and good concepts in cryptography are required. The improvements made by IDRIX demonstrate the possession of these skills.”
The researchers have detailed all the vulnerabilities in a 42-page audit report [PDF], which includes:
- Critical bugs in the implementation of GOST 28147-89, a symmetric block cipher with a 64-bit block size, which they say must be removed completely due to unsafe implementation.
- All compression libraries are considered outdated or “poorly-written,” and must be replaced with modern and more secure zip libraries.
- If the system is encrypted, the boot password in UEFI mode or its length can be determined.
The majority of flaws have been fixed in the latest VeraCrypt version 1.19 release, but a few of them including AES implementation have not yet been patched due to substantial modifications of the code or/and the architecture of the project.
So, according to the OSTIF, “VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software.”
You are recommended to download the latest VeraCrypt version 1.19.