From 078d1410dd3307956638d9c90f40ec15032ef01f Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Sat, 11 Jan 2025 23:22:40 +0100 Subject: Linux/FreeBSD: Prevent mounting volumes on system directories and PATH (CVE-2025-23021, reported by SivertPL @__tfr) Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries. Key changes: - Block mounting on protected system directories (/usr, /bin, /lib, etc.) This restriction cannot be overridden - Block mounting on directories present in user's PATH environment variable This can be overridden with --allow-insecure-mount flag - Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed - Handle symlinks properly when checking paths - Add new error messages for blocked mount points To override PATH-based restrictions only (system directories remain protected): veracrypt --allow-insecure-mount [options] volume mountpoint Security Impact: Low to Medium The attack requires either: - User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points - Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password Default mount points are not affected by this vulnerability. Security: CVE-2025-23021 --- Translations/Language.vi.xml | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Translations/Language.vi.xml') diff --git a/Translations/Language.vi.xml b/Translations/Language.vi.xml index 29dd6427..91f7f6a7 100644 --- a/Translations/Language.vi.xml +++ b/Translations/Language.vi.xml @@ -1641,6 +1641,9 @@ WARNING: The volume's master key is vulnerable to an attack that compromises data security.\n\nPlease create a new volume and transfer the data to it. WARNING: The encrypted system's master key is vulnerable to an attack that compromises data security.\nPlease decrypt the system partition/drive and then re-encrypt it. WARNING: The volume's master key has a security vulnerability. + ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. + ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. + [INSECURE MODE] -- cgit v1.2.3