mirrors/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2026-05-17 01:51:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Linux/FreeBSD: Prevent mounting volumes on system directories and PATH (CVE-2025-23021, reported by SivertPL @__tfr)

Browse Source 
Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries.

Key changes:
- Block mounting on protected system directories (/usr, /bin, /lib, etc.)
  This restriction cannot be overridden
- Block mounting on directories present in user's PATH environment variable
  This can be overridden with --allow-insecure-mount flag
- Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed
- Handle symlinks properly when checking paths
- Add new error messages for blocked mount points

To override PATH-based restrictions only (system directories remain protected):
veracrypt --allow-insecure-mount [options] volume mountpoint

Security Impact: Low to Medium
The attack requires either:
- User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points
- Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password
Default mount points are not affected by this vulnerability.

Security: CVE-2025-23021
This commit is contained in:
Mounir IDRASSI
2025-01-11 23:22:40 +01:00
parent 2cca2e1daf
commit 078d1410dd
59 changed files with 370 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/Main/UserInterface.cpp
View File

@@ -541,6 +541,9 @@ namespace VeraCrypt
EX2MSG (HigherFuseVersionRequired, LangString["LINUX_EX2MSG_HIGHERFUSEVERSIONREQUIRED"]);
#endif
EX2MSG (MountPointBlocked, LangString["MOUNTPOINT_BLOCKED"]);
EX2MSG (MountPointNotAllowed, LangString["MOUNTPOINT_NOTALLOWED"]);
#undef EX2MSG
return L"";
}
@@ -560,6 +563,7 @@ namespace VeraCrypt
SetPreferences (CmdLine->Preferences);
Core->SetApplicationExecutablePath (Application::GetExecutablePath());
Core->SetUserEnvPATH (getenv ("PATH"));
if (!Preferences.NonInteractive)
{
@@ -572,6 +576,10 @@ namespace VeraCrypt
Core->ForceUseDummySudoPassword (CmdLine->ArgUseDummySudoPassword);
#if defined(TC_UNIX)
Core->SetAllowInsecureMount (CmdLine->ArgAllowInsecureMount);
#endif
Core->WarningEvent.Connect (EventConnector <UserInterface> (this, &UserInterface::OnWarning));
Core->VolumeMountedEvent.Connect (EventConnector <UserInterface> (this, &UserInterface::OnVolumeMounted));
@@ -1646,6 +1654,13 @@ const FileManager fileManagers[] = {
return sResult;
}
#ifdef TC_UNIX
bool UserInterface::InsecureMountAllowed () const
{
return CmdLine->ArgAllowInsecureMount;
}
#endif
#define VC_CONVERT_EXCEPTION(NAME) if (dynamic_cast<NAME*> (ex)) throw (NAME&) *ex;
void UserInterface::ThrowException (Exception* ex)
@@ -1734,6 +1749,9 @@ const FileManager fileManagers[] = {
VC_CONVERT_EXCEPTION (EMVKeyfileDataNotFound);
VC_CONVERT_EXCEPTION (EMVPANNotFound);
VC_CONVERT_EXCEPTION (MountPointBlocked);
VC_CONVERT_EXCEPTION (MountPointNotAllowed);
throw *ex;
}
}