CryptWare Backdoor Fixed

Thursday, September 1, 2016 @ 04:09 PM gHale


An update released for CryptWare’s CryptoPro Secure Disk for BitLocker tool.

The update comes after researchers found vulnerabilities that can end up exploited to backdoor the system and potentially steal sensitive data.

RELATED STORIES
Trojan Allows Remote Access
Trojan Searches for Specific File Types
Trojan Goes Cryptocurrency Mining
APT Targets Energy, Pharma Industries

CryptWare’s CryptoPro Secure Disk enhances the functionality of BitLocker, the full disk encryption feature from Microsoft for some versions of Windows. CryptoPro Secure Disk provides BitLocker PreBoot Authentication (PBA), and support for UID/password and smartcard/PIN authentication.

An advisory from security firm SEC Consult shows the application suffers from two vulnerabilities that can end up leveraged by an attacker who has physical access to the targeted system.

An attacker can jump on the first vulnerability to access a root shell at boot and execute arbitrary commands. The output of the executed commands is not visible, but the attacker can connect the targeted machine to a DHCP server that assigns it an IP address and then bind the root shell to port 8197. Connecting to port 8197 allows the attacker to view the output of the commands they execute, researchers said.

The flaw exists because CryptoPro Secure Disk does not properly block terminal access. When installed, the product creates a new partition that runs a small Linux operating system, which gets booted before BitLocker code executes. A local attacker can use a keyboard shortcut to launch a terminal and execute commands.

The second vulnerability found by SEC Consult comes from inadequate verification mechanisms. At startup, a script compares the checksum of the files on the system with a preconfigured list and the boot process halts if invalid files end up detected. However, researchers found a design flaw that can end up exploited to modify files on the system and still be able to bypass the verification process.

Researchers said this flaw can end up used to backdoor the system and steal sensitive information, including BitLocker and domain credentials, and the certificate used for 802.1x authentication.