diff options
| author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2025-01-11 23:22:40 +0100 |
|---|---|---|
| committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2025-01-14 14:59:45 +0100 |
| commit | 078d1410dd3307956638d9c90f40ec15032ef01f (patch) | |
| tree | 5b1bba6f7d7e9509a14642d9182b518ba40c8a2c /src/Main/UserInterface.cpp | |
| parent | 2cca2e1dafa405addc3af8724baf8563f352ac1c (diff) | |
| download | VeraCrypt-078d1410dd3307956638d9c90f40ec15032ef01f.tar.gz VeraCrypt-078d1410dd3307956638d9c90f40ec15032ef01f.zip | |
Linux/FreeBSD: Prevent mounting volumes on system directories and PATH (CVE-2025-23021, reported by SivertPL @__tfr)
Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries.
Key changes:
- Block mounting on protected system directories (/usr, /bin, /lib, etc.)
This restriction cannot be overridden
- Block mounting on directories present in user's PATH environment variable
This can be overridden with --allow-insecure-mount flag
- Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed
- Handle symlinks properly when checking paths
- Add new error messages for blocked mount points
To override PATH-based restrictions only (system directories remain protected):
veracrypt --allow-insecure-mount [options] volume mountpoint
Security Impact: Low to Medium
The attack requires either:
- User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points
- Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password
Default mount points are not affected by this vulnerability.
Security: CVE-2025-23021
Diffstat (limited to 'src/Main/UserInterface.cpp')
| -rw-r--r-- | src/Main/UserInterface.cpp | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/src/Main/UserInterface.cpp b/src/Main/UserInterface.cpp index 5798cb31..8da77f5b 100644 --- a/src/Main/UserInterface.cpp +++ b/src/Main/UserInterface.cpp @@ -541,6 +541,9 @@ namespace VeraCrypt EX2MSG (HigherFuseVersionRequired, LangString["LINUX_EX2MSG_HIGHERFUSEVERSIONREQUIRED"]); #endif + EX2MSG (MountPointBlocked, LangString["MOUNTPOINT_BLOCKED"]); + EX2MSG (MountPointNotAllowed, LangString["MOUNTPOINT_NOTALLOWED"]); + #undef EX2MSG return L""; } @@ -560,6 +563,7 @@ namespace VeraCrypt SetPreferences (CmdLine->Preferences); Core->SetApplicationExecutablePath (Application::GetExecutablePath()); + Core->SetUserEnvPATH (getenv ("PATH")); if (!Preferences.NonInteractive) { @@ -572,6 +576,10 @@ namespace VeraCrypt Core->ForceUseDummySudoPassword (CmdLine->ArgUseDummySudoPassword); +#if defined(TC_UNIX) + Core->SetAllowInsecureMount (CmdLine->ArgAllowInsecureMount); +#endif + Core->WarningEvent.Connect (EventConnector <UserInterface> (this, &UserInterface::OnWarning)); Core->VolumeMountedEvent.Connect (EventConnector <UserInterface> (this, &UserInterface::OnVolumeMounted)); @@ -1646,6 +1654,13 @@ const FileManager fileManagers[] = { return sResult; } +#ifdef TC_UNIX + bool UserInterface::InsecureMountAllowed () const + { + return CmdLine->ArgAllowInsecureMount; + } +#endif + #define VC_CONVERT_EXCEPTION(NAME) if (dynamic_cast<NAME*> (ex)) throw (NAME&) *ex; void UserInterface::ThrowException (Exception* ex) @@ -1734,6 +1749,9 @@ const FileManager fileManagers[] = { VC_CONVERT_EXCEPTION (EMVKeyfileDataNotFound); VC_CONVERT_EXCEPTION (EMVPANNotFound); + VC_CONVERT_EXCEPTION (MountPointBlocked); + VC_CONVERT_EXCEPTION (MountPointNotAllowed); + throw *ex; } } |