Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2025-11-11 11:08:02 -06:00
Code Activity

Linux/FreeBSD: Prevent mounting volumes on system directories and PATH (CVE-2025-23021, reported by SivertPL @__tfr)

Browse Source 
Added security checks to prevent mounting VeraCrypt volumes on system directories (like /usr/bin) or directories in the user's PATH, which could theoretically allow execution of malicious binaries instead of legitimate system binaries.

Key changes:
- Block mounting on protected system directories (/usr, /bin, /lib, etc.)
  This restriction cannot be overridden
- Block mounting on directories present in user's PATH environment variable
  This can be overridden with --allow-insecure-mount flag
- Add visual warnings (red border, "[INSECURE MODE]") when mounting on PATH directories is allowed
- Handle symlinks properly when checking paths
- Add new error messages for blocked mount points

To override PATH-based restrictions only (system directories remain protected):
veracrypt --allow-insecure-mount [options] volume mountpoint

Security Impact: Low to Medium
The attack requires either:
- User explicitly choosing a system directory as mount point instead of using VeraCrypt's default mount points
- Or attacker having both filesystem access to modify favorites configuration AND knowledge of the volume password
Default mount points are not affected by this vulnerability.

Security: CVE-2025-23021
This commit is contained in:
Mounir IDRASSI
2025-01-11 23:22:40 +01:00
parent 2cca2e1daf
commit 078d1410dd
59 changed files with 370 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/Main/CommandLineInterface.cpp
View File

@@ -33,6 +33,9 @@ namespace VeraCrypt
ArgDisableFileSizeCheck (false),
ArgUseLegacyPassword (false),
ArgUseDummySudoPassword (false),
#if defined(TC_UNIX)
ArgAllowInsecureMount (false),
#endif
StartBackgroundTask (false)
{
wxCmdLineParser parser;
@@ -107,6 +110,9 @@ namespace VeraCrypt
parser.AddSwitch (L"", L"legacy-password-maxlength", _("Use legacy maximum password length (64 UTF-8 bytes)"));
#if defined(TC_LINUX ) || defined (TC_FREEBSD)
parser.AddSwitch (L"", L"use-dummy-sudo-password", _("Use dummy password in sudo to detect if it is already authenticated"));
#endif
#if defined(TC_UNIX)
parser.AddSwitch (L"", L"allow-insecure-mount", _("Allow mounting volumes on mount points that are in the user's PATH"));
#endif
wxString str;
bool param1IsVolume = false;
@@ -376,6 +382,10 @@ namespace VeraCrypt
ArgUseLegacyPassword = parser.Found (L"legacy-password-maxlength");
ArgUseDummySudoPassword = parser.Found (L"use-dummy-sudo-password");
#if defined(TC_UNIX)
ArgAllowInsecureMount = parser.Found (L"allow-insecure-mount");
#endif
#if !defined(TC_WINDOWS) && !defined(TC_MACOSX)
if (parser.Found (L"fs-options", &str))
ArgMountOptions.FilesystemOptions = str;