From 078d1410dd3307956638d9c90f40ec15032ef01f Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Sat, 11 Jan 2025 23:22:40 +0100 Subject: Linux/FreeBSD: Prevent mounting volumes on system directories and PATH (CVE-2025-23021, reported by SivertPL @__tfr) Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries. Key changes: - Block mounting on protected system directories (/usr, /bin, /lib, etc.) This restriction cannot be overridden - Block mounting on directories present in user's PATH environment variable This can be overridden with --allow-insecure-mount flag - Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed - Handle symlinks properly when checking paths - Add new error messages for blocked mount points To override PATH-based restrictions only (system directories remain protected): veracrypt --allow-insecure-mount [options] volume mountpoint Security Impact: Low to Medium The attack requires either: - User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points - Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password Default mount points are not affected by this vulnerability. Security: CVE-2025-23021 --- src/Main/CommandLineInterface.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'src/Main/CommandLineInterface.cpp') diff --git a/src/Main/CommandLineInterface.cpp b/src/Main/CommandLineInterface.cpp index f2f5e793..9994e450 100644 --- a/src/Main/CommandLineInterface.cpp +++ b/src/Main/CommandLineInterface.cpp @@ -33,6 +33,9 @@ namespace VeraCrypt ArgDisableFileSizeCheck (false), ArgUseLegacyPassword (false), ArgUseDummySudoPassword (false), +#if defined(TC_UNIX) + ArgAllowInsecureMount (false), + #endif StartBackgroundTask (false) { wxCmdLineParser parser; @@ -107,6 +110,9 @@ namespace VeraCrypt parser.AddSwitch (L"", L"legacy-password-maxlength", _("Use legacy maximum password length (64 UTF-8 bytes)")); #if defined(TC_LINUX ) || defined (TC_FREEBSD) parser.AddSwitch (L"", L"use-dummy-sudo-password", _("Use dummy password in sudo to detect if it is already authenticated")); +#endif +#if defined(TC_UNIX) + parser.AddSwitch (L"", L"allow-insecure-mount", _("Allow mounting volumes on mount points that are in the user's PATH")); #endif wxString str; bool param1IsVolume = false; @@ -376,6 +382,10 @@ namespace VeraCrypt ArgUseLegacyPassword = parser.Found (L"legacy-password-maxlength"); ArgUseDummySudoPassword = parser.Found (L"use-dummy-sudo-password"); +#if defined(TC_UNIX) + ArgAllowInsecureMount = parser.Found (L"allow-insecure-mount"); +#endif + #if !defined(TC_WINDOWS) && !defined(TC_MACOSX) if (parser.Found (L"fs-options", &str)) ArgMountOptions.FilesystemOptions = str; -- cgit v1.2.3