Implement detection of volumes with vulnerable XTS master key.

If vulnerability detected, a warning message is displayed during mount or backup/restore header, and changing the password is disallowed since it will not change the master key.

src/Common/Apidrvr.h

@@ -177,6 +177,7 @@ typedef struct
 	ULONG MaximumTransferLength;
 	ULONG MaximumPhysicalPages;
 	ULONG AlignmentMask;
+	BOOL VolumeMasterKeyVulnerable;
 } MOUNT_STRUCT;
 
 typedef struct
@@ -316,6 +317,8 @@ typedef struct
 	// is read-only (or mounted an outer/normal TrueCrypt volume as read only)
 	uint32 HiddenSysLeakProtectionCount;
 
+	BOOL MasterKeyVulnerable;
+
 } BootEncryptionStatus;
 
 

src/Common/BootEncryption.cpp

@@ -1462,6 +1462,7 @@ namespace VeraCrypt
 		/* IMPORTANT: Do NOT add any potentially time-consuming operations to this function. */
 
 		BootEncryptionStatus status;
+		memset (&status, 0, sizeof(status));
 		CallDriver (TC_IOCTL_GET_BOOT_ENCRYPTION_STATUS, NULL, 0, &status, sizeof (status));
 		return status;
 	}
@@ -5401,6 +5402,10 @@ namespace VeraCrypt
 		int status = ReadVolumeHeader (!encStatus.HiddenSystem, header, oldPassword, old_pkcs5, old_pim, &cryptoInfo, NULL);
 		finally_do_arg (PCRYPTO_INFO, cryptoInfo, { if (finally_arg) crypto_close (finally_arg); });
 
+		// if the XTS master key is vulnerable, return error and do not allow the user to change the password since the master key will not be changed
+		if (cryptoInfo->bVulnerableMasterKey)
+			status = ERR_SYSENC_XTS_MASTERKEY_VULNERABLE;
+
 		if (status != 0)
 		{
 			handleError (hwndDlg, status, SRC_POS);

src/Common/Crypto.h

@@ -277,6 +277,8 @@ typedef struct CRYPTO_INFO_t
 
 	uint32 SectorSize;
 
+	BOOL bVulnerableMasterKey; // TRUE if XTS primary key is identical to secondary key (i.e. the volume is vulnerable to attack on XTS mode)
+
 #endif // !TC_WINDOWS_BOOT
 
 	UINT64_STRUCT VolumeSize;

src/Common/Dlgcode.c

@@ -5577,6 +5577,14 @@ void handleError (HWND hwndDlg, int code, const char* srcPos)
 		break;
 #endif
 
+	case ERR_XTS_MASTERKEY_VULNERABLE:
+		MessageBoxW (hwndDlg, AppendSrcPos (GetString ("ERR_XTS_MASTERKEY_VULNERABLE"), srcPos).c_str(), lpszTitle, ICON_HAND);
+		break;
+
+	case ERR_SYSENC_XTS_MASTERKEY_VULNERABLE:
+		MessageBoxW (hwndDlg, AppendSrcPos (GetString ("ERR_SYSENC_XTS_MASTERKEY_VULNERABLE"), srcPos).c_str(), lpszTitle, ICON_HAND);
+		break;
+
 	default:
 		StringCbPrintfW (szTmp, sizeof(szTmp), GetString ("ERR_UNKNOWN"), code);
 		MessageBoxW (hwndDlg, AppendSrcPos (szTmp, srcPos).c_str(), lpszTitle, ICON_HAND);
@@ -8953,6 +8961,12 @@ retry:
 	
 	LastMountedVolumeDirty = mount.FilesystemDirty;
 
+	if (mount.VolumeMasterKeyVulnerable
+		&& !Silent)
+	{
+		Warning ("ERR_XTS_MASTERKEY_VULNERABLE", hwndDlg);
+	}
+
 	if (mount.FilesystemDirty)
 	{
 		wchar_t msg[1024];

src/Common/Language.xml

@@ -1638,6 +1638,9 @@
     <entry lang="en" key="LINUX_LANGUAGE">Language</entry>
     <entry lang="en" key="LINUX_SELECT_SYS_DEFAULT_LANG">Select system's default language</entry>
     <entry lang="en" key="LINUX_RESTART_FOR_LANGUAGE_CHANGE">For the language change to come into effect, VeraCrypt needs to be restarted.</entry>
+    <entry lang="en" key="ERR_XTS_MASTERKEY_VULNERABLE">WARNING: The volume's master key is vulnerable to an attack that compromises data security.\n\nPlease create a new volume and transfer the data to it.</entry>
+    <entry lang="en" key="ERR_SYSENC_XTS_MASTERKEY_VULNERABLE">WARNING: The encrypted system's master key is vulnerable to an attack that compromises data security.\nPlease decrypt the system partition/drive and then re-encrypt it.</entry>
+    <entry lang="en" key="ERR_XTS_MASTERKEY_VULNERABLE_SHORT">WARNING: The volume's master key has a security vulnerability.</entry>
   </localization>
   <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
     <xs:element name="VeraCrypt">

src/Common/Password.c

@@ -371,6 +371,10 @@ int ChangePwd (const wchar_t *lpszVolume, Password *oldPassword, int old_pkcs5,
 		if (nStatus == ERR_CIPHER_INIT_WEAK_KEY)
 			nStatus = 0;	// We can ignore this error here
 
+		// if the XTS master key is vulnerable, return error and do not allow the user to change the password since the master key will not be changed
+		if (cryptoInfo->bVulnerableMasterKey)
+			nStatus = ERR_XTS_MASTERKEY_VULNERABLE;
+
 		if (nStatus == ERR_PASSWORD_WRONG)
 		{
 			continue;		// Try next volume type

src/Common/Tcdefs.h

@@ -494,7 +494,9 @@ enum
 	ERR_NONSYS_INPLACE_ENC_INCOMPLETE		= 32,
 	ERR_USER_ABORT							= 33,
 	ERR_RAND_INIT_FAILED					= 34,
-	ERR_CAPI_INIT_FAILED					= 35
+	ERR_CAPI_INIT_FAILED					= 35,
+	ERR_XTS_MASTERKEY_VULNERABLE			= 36,
+	ERR_SYSENC_XTS_MASTERKEY_VULNERABLE			= 37
 };
 
 #endif 	// #ifndef TCDEFS_H

src/Common/Volumes.c

@@ -597,6 +597,14 @@ KeyReady:	;
 					goto err;
 				}
 
+				// check that first half of keyInfo.master_keydata is different from the second half. If they are the same return error
+				if (memcmp (keyInfo->master_keydata, keyInfo->master_keydata + EAGetKeySize (cryptoInfo->ea), EAGetKeySize (cryptoInfo->ea)) == 0)
+				{
+					cryptoInfo->bVulnerableMasterKey = TRUE;
+					if (retHeaderCryptoInfo)
+						retHeaderCryptoInfo->bVulnerableMasterKey = TRUE;
+				}
+
 				status = ERR_SUCCESS;
 				goto ret;
 			}

src/Core/Core.h

@@ -82,9 +82,13 @@ namespace VeraCrypt
 		shared_ptr <Pkcs5Kdf> m_newPkcs5Kdf;
 		int m_wipeCount;
 		bool m_emvSupportEnabled;
-		ChangePasswordThreadRoutine(shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount, bool emvSupportEnabled) : m_volumePath(volumePath), m_preserveTimestamps(preserveTimestamps), m_password(password), m_pim(pim), m_kdf(kdf), m_keyfiles(keyfiles), m_newPassword(newPassword), m_newPim(newPim), m_newKeyfiles(newKeyfiles), m_newPkcs5Kdf(newPkcs5Kdf), m_wipeCount(wipeCount), m_emvSupportEnabled(emvSupportEnabled)  {}
+		bool m_masterKeyVulnerable;
+		ChangePasswordThreadRoutine(shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount, bool emvSupportEnabled) : m_volumePath(volumePath), m_preserveTimestamps(preserveTimestamps), m_password(password), m_pim(pim), m_kdf(kdf), m_keyfiles(keyfiles), m_newPassword(newPassword), m_newPim(newPim), m_newKeyfiles(newKeyfiles), m_newPkcs5Kdf(newPkcs5Kdf), m_wipeCount(wipeCount), m_emvSupportEnabled(emvSupportEnabled), m_masterKeyVulnerable(false)  {}
 		virtual ~ChangePasswordThreadRoutine() { }
-		virtual void ExecutionCode(void) { Core->ChangePassword(m_volumePath, m_preserveTimestamps, m_password, m_pim, m_kdf, m_keyfiles, m_newPassword, m_newPim, m_newKeyfiles, m_emvSupportEnabled, m_newPkcs5Kdf, m_wipeCount); }
+		virtual void ExecutionCode(void) { 
+			shared_ptr <Volume> openVolume = Core->ChangePassword(m_volumePath, m_preserveTimestamps, m_password, m_pim, m_kdf, m_keyfiles, m_newPassword, m_newPim, m_newKeyfiles, m_emvSupportEnabled, m_newPkcs5Kdf, m_wipeCount); 
+			m_masterKeyVulnerable = openVolume->IsMasterKeyVulnerable();
+		}
 	};
 
 	class OpenVolumeThreadRoutine : public WaitThreadRoutine

src/Core/CoreBase.cpp

@@ -77,10 +77,11 @@ namespace VeraCrypt
 		}
 	}
 
-	void CoreBase::ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount) const
+	shared_ptr <Volume> CoreBase::ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount) const
 	{
 		shared_ptr <Volume> volume = OpenVolume (volumePath, preserveTimestamps, password, pim, kdf, keyfiles, emvSupportEnabled);
 		ChangePassword (volume, newPassword, newPim, newKeyfiles, emvSupportEnabled, newPkcs5Kdf, wipeCount);
+		return volume;
 	}
 
 	void CoreBase::CoalesceSlotNumberAndMountPoint (MountOptions &options) const

src/Core/CoreBase.h

@@ -34,7 +34,7 @@ namespace VeraCrypt
 		virtual ~CoreBase ();
 
 		virtual void ChangePassword (shared_ptr <Volume> openVolume, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf = shared_ptr <Pkcs5Kdf> (), int wipeCount = PRAND_HEADER_WIPE_PASSES) const;
-		virtual void ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf = shared_ptr <Pkcs5Kdf> (), int wipeCount = PRAND_HEADER_WIPE_PASSES) const;
+		virtual shared_ptr <Volume> ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf = shared_ptr <Pkcs5Kdf> (), int wipeCount = PRAND_HEADER_WIPE_PASSES) const;
 		virtual void CheckFilesystem (shared_ptr <VolumeInfo> mountedVolume, bool repair = false) const = 0;
 		virtual void CoalesceSlotNumberAndMountPoint (MountOptions &options) const;
 		virtual void CreateKeyfile (const FilePath &keyfilePath) const;

src/Driver/DriveFilter.c

@@ -522,10 +522,16 @@ static NTSTATUS MountDrive (DriveFilterExtension *Extension, Password *password,
 
 	if (ReadVolumeHeader (!hiddenVolume, header, password, pkcs5_prf, pim, &Extension->Queue.CryptoInfo, Extension->HeaderCryptoInfo) == 0)
 	{
-		// Header decrypted
+		// Header decrypted		
 		status = STATUS_SUCCESS;
 		Dump ("Header decrypted\n");
 
+		if (Extension->HeaderCryptoInfo->bVulnerableMasterKey)
+		{
+			// The volume header master key is vulnerable
+			Dump ("The volume header master key is vulnerable\n");
+		}
+
 		// calculate Fingerprint
 		ComputeBootLoaderFingerprint (Extension->LowerDeviceObject, header);
 			
@@ -2017,6 +2023,7 @@ void GetBootEncryptionStatus (PIRP irp, PIO_STACK_LOCATION irpSp)
 			bootEncStatus->ConfiguredEncryptedAreaStart = Extension->ConfiguredEncryptedAreaStart;
 			bootEncStatus->ConfiguredEncryptedAreaEnd = Extension->ConfiguredEncryptedAreaEnd;
 			bootEncStatus->EncryptedAreaStart = Extension->Queue.EncryptedAreaStart;
+			bootEncStatus->MasterKeyVulnerable = Extension->HeaderCryptoInfo->bVulnerableMasterKey;
 
 			if (SetupInProgress)
 			{

src/Driver/Ntvol.c

@@ -89,6 +89,7 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
 
 	mount->VolumeMountedReadOnlyAfterDeviceWriteProtected = FALSE;
 	mount->VolumeMountedReadOnlyAfterPartialSysEnc = FALSE;
+	mount->VolumeMasterKeyVulnerable = FALSE;
 
 	// If we are opening a device, query its size first
 	if (bRawDevice)
@@ -648,6 +649,9 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
 			Dump ("Volume header decrypted\n");
 			Dump ("Required program version = %x\n", (int) Extension->cryptoInfo->RequiredProgramVersion);
 			Dump ("Legacy volume = %d\n", (int) Extension->cryptoInfo->LegacyVolume);
+			Dump ("Master key vulnerable = %d\n", (int) Extension->cryptoInfo->bVulnerableMasterKey);
+
+			mount->VolumeMasterKeyVulnerable = Extension->cryptoInfo->bVulnerableMasterKey;
 
 			if (IsHiddenSystemRunning() && !Extension->cryptoInfo->hiddenVolume)
 			{

src/ExpandVolume/ExpandVolume.c

@@ -691,6 +691,12 @@ static int ExpandVolume (HWND hwndDlg, wchar_t *lpszVolume, Password *pVolumePas
 	if (nStatus == ERR_CIPHER_INIT_WEAK_KEY)
 		nStatus = 0;	// We can ignore this error here
 
+	// if the volume master key is vulnerable, print a warning to inform the user
+	if (cryptoInfo->bVulnerableMasterKey)
+	{
+		DebugAddProgressDlgStatus(hwndDlg, GetString ("ERR_XTS_MASTERKEY_VULNERABLE_SHORT"));
+	}
+
 	if (nStatus != 0)
 	{
 		cryptoInfo = NULL;

src/Main/Forms/ChangePasswordDialog.cpp

@@ -171,6 +171,7 @@ namespace VeraCrypt
 			RandomNumberGenerator::SetEnrichedByUserStatus (false);
 			Gui->UserEnrichRandomPool (this, NewPasswordPanel->GetPkcs5Kdf() ? NewPasswordPanel->GetPkcs5Kdf()->GetHash() : shared_ptr <Hash>());
 
+			bool masterKeyVulnerable = false;
 			{
 #ifdef TC_UNIX
 				// Temporarily take ownership of a device if the user is not an administrator
@@ -193,6 +194,7 @@ namespace VeraCrypt
 					CurrentPasswordPanel->GetPassword(), CurrentPasswordPanel->GetVolumePim(), CurrentPasswordPanel->GetPkcs5Kdf(), CurrentPasswordPanel->GetKeyfiles(),
 					newPassword, newPim, newKeyfiles, NewPasswordPanel->GetPkcs5Kdf(), NewPasswordPanel->GetHeaderWipeCount(), Gui->GetPreferences().EMVSupportEnabled);
 				Gui->ExecuteWaitThreadRoutine (this, &routine);
+				masterKeyVulnerable = routine.m_masterKeyVulnerable;
 			}
 
 			switch (DialogMode)
@@ -214,6 +216,9 @@ namespace VeraCrypt
 				throw ParameterIncorrect (SRC_POS);
 			}
 
+			if (masterKeyVulnerable)
+				Gui->ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+
 			EndModal (wxID_OK);
 		}
 		catch (UnportablePassword &e)

src/Main/GraphicUserInterface.cpp

@@ -191,6 +191,7 @@ namespace VeraCrypt
 		hiddenVolumeMountOptions.Path = volumePath;
 
 		VolumeType::Enum volumeType = VolumeType::Normal;
+		bool masterKeyVulnerable = false;
 
 		// Open both types of volumes
 		while (true)
@@ -273,6 +274,13 @@ namespace VeraCrypt
 				}
 			}
 
+			// check if volume master key is vulnerable
+			if (volume->IsMasterKeyVulnerable())
+			{
+				masterKeyVulnerable = true;
+				ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+			}
+
 			if (volumeType == VolumeType::Hidden)
 				hiddenVolume = volume;
 			else
@@ -366,6 +374,10 @@ namespace VeraCrypt
 		}
 
 		ShowWarning ("VOL_HEADER_BACKED_UP");
+
+		// display again warning that master key is vulnerable
+		if (masterKeyVulnerable)
+			ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
 	}
 
 	void GraphicUserInterface::BeginInteractiveBusyState (wxWindow *window)
@@ -1440,6 +1452,7 @@ namespace VeraCrypt
 		/* force the display of the random enriching interface */
 		RandomNumberGenerator::SetEnrichedByUserStatus (false);
 
+		bool masterKeyVulnerable = false;
 		if (restoreInternalBackup)
 		{
 			// Restore header from the internal backup
@@ -1492,6 +1505,8 @@ namespace VeraCrypt
 				return;
 			}
 
+			masterKeyVulnerable = volume->IsMasterKeyVulnerable();
+
 			RandomNumberGenerator::Start();
 			UserEnrichRandomPool (nullptr);
 
@@ -1590,6 +1605,7 @@ namespace VeraCrypt
 
 						if (decryptRoutine.m_bResult)
 						{
+							masterKeyVulnerable = layout->GetHeader()->IsMasterKeyVulnerable();
 							decryptedLayout = layout;
 							break;
 						}
@@ -1645,6 +1661,12 @@ namespace VeraCrypt
 		}
 
 		ShowInfo ("VOL_HEADER_RESTORED");
+
+		// display warning if the volume master key is vulnerable
+		if (masterKeyVulnerable)
+		{
+			ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+		}
 	}
 
 	DevicePath GraphicUserInterface::SelectDevice (wxWindow *parent) const

src/Main/TextUserInterface.cpp

@@ -314,6 +314,7 @@ namespace VeraCrypt
 		hiddenVolumeMountOptions.EMVSupportEnabled = true;
 
 		VolumeType::Enum volumeType = VolumeType::Normal;
+		bool masterKeyVulnerable = false;
 
 		// Open both types of volumes
 		while (true)
@@ -387,6 +388,13 @@ namespace VeraCrypt
 				}
 			}
 
+			// check if volume master key is vulnerable
+			if (volume->IsMasterKeyVulnerable())
+			{
+				masterKeyVulnerable = true;
+				ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+			}
+
 			if (volumeType == VolumeType::Hidden)
 				hiddenVolume = volume;
 			else
@@ -454,6 +462,10 @@ namespace VeraCrypt
 
 		ShowString (L"\n");
 		ShowInfo ("VOL_HEADER_BACKED_UP");
+
+		// display again warning that master key is vulnerable
+		if (masterKeyVulnerable)
+			ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
 	}
 
 	void TextUserInterface::ChangePassword (shared_ptr <VolumePath> volumePath, shared_ptr <VolumePassword> password, int pim, shared_ptr <Hash> currentHash, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Hash> newHash) const
@@ -532,6 +544,12 @@ namespace VeraCrypt
 			break;
 		}
 
+		// display warning if volume master key is vulnerable
+		if (volume->IsMasterKeyVulnerable())
+		{
+			ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+		}
+
 		// New password
 		if (!newPassword.get() && !Preferences.NonInteractive)
 			newPassword = AskPassword (_("Enter new password"), true);
@@ -1539,6 +1557,7 @@ namespace VeraCrypt
 		/* force the display of the random enriching interface */
 		RandomNumberGenerator::SetEnrichedByUserStatus (false);
 
+		bool masterKeyVulnerable = false;
 		if (restoreInternalBackup)
 		{
 			// Restore header from the internal backup
@@ -1586,6 +1605,8 @@ namespace VeraCrypt
 				throw_err (LangString ["VOLUME_HAS_NO_BACKUP_HEADER"]);
 			}
 
+			masterKeyVulnerable = volume->IsMasterKeyVulnerable();
+
 			RandomNumberGenerator::Start();
 			UserEnrichRandomPool();
 
@@ -1673,6 +1694,7 @@ namespace VeraCrypt
 						if (layout->GetHeader()->Decrypt (headerBuffer, *passwordKey, options.Pim, kdf, layout->GetSupportedKeyDerivationFunctions(), layout->GetSupportedEncryptionAlgorithms(), layout->GetSupportedEncryptionModes()))
 						{
 							decryptedLayout = layout;
+							masterKeyVulnerable = layout->GetHeader()->IsMasterKeyVulnerable();
 							break;
 						}
 					}
@@ -1723,6 +1745,11 @@ namespace VeraCrypt
 
 		ShowString (L"\n");
 		ShowInfo ("VOL_HEADER_RESTORED");
+		// display warning if the volume master key is vulnerable
+		if (masterKeyVulnerable)
+		{
+			ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+		}
 	}
 
 	void TextUserInterface::SetTerminalEcho (bool enable)

src/Main/UserInterface.cpp

@@ -652,6 +652,7 @@ namespace VeraCrypt
 
 		bool protectedVolumeMounted = false;
 		bool legacyVolumeMounted = false;
+		bool vulnerableVolumeMounted = false;
 
 		foreach_ref (const HostDevice &device, devices)
 		{
@@ -694,6 +695,10 @@ namespace VeraCrypt
 
 				if (newMountedVolumes.back()->EncryptionAlgorithmMinBlockSize == 8)
 					legacyVolumeMounted = true;
+
+				if (newMountedVolumes.back()->MasterKeyVulnerable)
+					vulnerableVolumeMounted = true;
+				
 			}
 			catch (DriverError&) { }
 			catch (MissingVolumeData&) { }
@@ -708,6 +713,9 @@ namespace VeraCrypt
 		}
 		else
 		{
+			if (vulnerableVolumeMounted)
+				ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+
 			if (someVolumesShared)
 				ShowWarning ("DEVICE_IN_USE_INFO");
 
@@ -741,10 +749,12 @@ namespace VeraCrypt
 
 			favorite.ToMountOptions (options);
 
+			bool mountPerformed = false;
 			if (Preferences.NonInteractive)
 			{
 				BusyScope busy (this);
 				newMountedVolumes.push_back (Core->MountVolume (options));
+				mountPerformed = true;
 			}
 			else
 			{
@@ -752,6 +762,7 @@ namespace VeraCrypt
 				{
 					BusyScope busy (this);
 					newMountedVolumes.push_back (Core->MountVolume (options));
+					mountPerformed = true;
 				}
 				catch (...)
 				{
@@ -769,6 +780,9 @@ namespace VeraCrypt
 					newMountedVolumes.push_back (volume);
 				}
 			}
+			
+			if (mountPerformed && newMountedVolumes.back()->MasterKeyVulnerable)
+				ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
 		}
 
 		if (!newMountedVolumes.empty() && GetPreferences().CloseSecurityTokenSessionsAfterMount)
@@ -805,6 +819,9 @@ namespace VeraCrypt
 			}
 		}
 
+		if (volume->MasterKeyVulnerable)
+			ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+
 		if (volume->EncryptionAlgorithmMinBlockSize == 8)
 			ShowWarning ("WARN_64_BIT_BLOCK_CIPHER");
 

src/Mount/Mount.c

@@ -1259,6 +1259,20 @@ static BOOL SysEncryptionOrDecryptionRequired (void)
 	);
 }
 
+// Returns TRUE if system encryption master key is vulnerable
+static BOOL SysEncryptionMasterKeyVulnerable (void)
+{
+	try
+	{
+		BootEncStatus = BootEncObj->GetStatus();
+		return (BootEncStatus.DriveMounted || BootEncStatus.DriveEncrypted) && BootEncStatus.MasterKeyVulnerable;
+	}
+	catch (Exception &)
+	{
+		return FALSE;
+	}
+}
+
 // Returns TRUE if the system partition/drive is completely encrypted
 static BOOL SysDriveOrPartitionFullyEncrypted (BOOL bSilent)
 {
@@ -7435,10 +7449,12 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 
 			if (!Quit)	// Do not care about system encryption or in-place encryption if we were launched from the system startup sequence (the wizard was added to it too).
 			{
+				BOOL bActionPerformed = FALSE;
 				if (SysEncryptionOrDecryptionRequired ())
 				{
 					if (!MutexExistsOnSystem (TC_MUTEX_NAME_SYSENC))	// If no instance of the wizard is currently taking care of system encryption
 					{
+						bActionPerformed = TRUE;
 						// We shouldn't block the mutex at this point
 
 						if (SystemEncryptionStatus == SYSENC_STATUS_PRETEST
@@ -7465,7 +7481,17 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 				{
 					BOOL bDecrypt = FALSE;
 					if (AskNonSysInPlaceEncryptionResume(hwndDlg, &bDecrypt) == IDYES)
+					{
+						bActionPerformed = TRUE;
 						ResumeInterruptedNonSysInplaceEncProcess (bDecrypt);
+					}
+				}
+
+				if (!bActionPerformed)
+				{
+					// display warning if the master key is vulnerable
+					if (SysEncryptionMasterKeyVulnerable())
+						WarningTopMost ("ERR_SYSENC_XTS_MASTERKEY_VULNERABLE", hwndDlg);
 				}
 			}
 
@@ -11447,6 +11473,12 @@ int RestoreVolumeHeader (HWND hwndDlg, const wchar_t *lpszVolume)
 			handleError (hwndDlg, nStatus, SRC_POS);
 		}
 
+		// display a warning if the master key is vulnerable
+		if (restoredCryptoInfo->bVulnerableMasterKey)
+		{
+			Warning ("ERR_XTS_MASTERKEY_VULNERABLE", hwndDlg);
+		}
+
 		BOOL hiddenVol = restoredCryptoInfo->hiddenVolume;
 
 		if (legacyBackup)

src/Volume/Volume.h

@@ -114,6 +114,7 @@ namespace VeraCrypt
 		void ReEncryptHeader (bool backupHeader, const ConstBufferPtr &newSalt, const ConstBufferPtr &newHeaderKey, shared_ptr <Pkcs5Kdf> newPkcs5Kdf);
 		void WriteSectors (const ConstBufferPtr &buffer, uint64 byteOffset);
 		bool IsEncryptionNotCompleted () const { return EncryptionNotCompleted; }
+		bool IsMasterKeyVulnerable() const { return Header && Header->IsMasterKeyVulnerable(); }
 
 	protected:
 		void CheckProtectedRange (uint64 writeHostOffset, uint64 writeLength);

src/Volume/VolumeHeader.cpp

@@ -47,6 +47,7 @@ namespace VeraCrypt
 		EncryptedAreaLength = 0;
 		Flags = 0;
 		SectorSize = 0;
+		XtsKeyVulnerable = false;
 	}
 
 	void VolumeHeader::Create (const BufferPtr &headerBuffer, VolumeHeaderCreationOptions &options)
@@ -62,6 +63,9 @@ namespace VeraCrypt
 		DataAreaKey.Zero();
 		DataAreaKey.CopyFrom (options.DataKey);
 
+		// check if the XTS key is vulnerable by comparing the two parts of the key
+		XtsKeyVulnerable = (memcmp (options.DataKey.Get() + options.EA->GetKeySize(), options.DataKey.Get(), options.EA->GetKeySize()) == 0);
+
 		VolumeCreationTime = 0;
 		HiddenVolumeDataSize = (options.Type == VolumeType::Hidden ? options.VolumeDataSize : 0);
 		VolumeDataSize = options.VolumeDataSize;
@@ -235,6 +239,9 @@ namespace VeraCrypt
 			ea->SetKeyXTS (header.GetRange (offset + ea->GetKeySize(), ea->GetKeySize()));
             #endif
 			mode->SetKey (header.GetRange (offset + ea->GetKeySize(), ea->GetKeySize()));
+
+			// check if the XTS key is vulnerable by comparing the two parts of the key
+			XtsKeyVulnerable = (memcmp (DataAreaKey.Ptr() + ea->GetKeySize(), DataAreaKey.Ptr(), ea->GetKeySize()) == 0);
 		}
 		else
 		{

src/Volume/VolumeHeader.h

@@ -76,6 +76,7 @@ namespace VeraCrypt
 		uint64 GetVolumeDataSize () const { return VolumeDataSize; }
 		VolumeTime GetVolumeCreationTime () const { return VolumeCreationTime; }
 		void SetSize (uint32 headerSize);
+		bool IsMasterKeyVulnerable () const { return XtsKeyVulnerable; }
 
 	protected:
 		bool Deserialize (const ConstBufferPtr &header, shared_ptr <EncryptionAlgorithm> &ea, shared_ptr <EncryptionMode> &mode);
@@ -120,6 +121,7 @@ namespace VeraCrypt
 		uint32 SectorSize;
 
 		SecureBuffer DataAreaKey;
+		bool XtsKeyVulnerable;
 
 	private:
 		VolumeHeader (const VolumeHeader &);

src/Volume/VolumeInfo.cpp

@@ -55,6 +55,7 @@ namespace VeraCrypt
 		VirtualDevice = sr.DeserializeWString ("VirtualDevice");
 		sr.Deserialize ("VolumeCreationTime", VolumeCreationTime);
 		sr.Deserialize ("Pim", Pim);
+		sr.Deserialize ("MasterKeyVulnerable", MasterKeyVulnerable);
 	}
 
 	bool VolumeInfo::FirstVolumeMountedAfterSecond (shared_ptr <VolumeInfo> first, shared_ptr <VolumeInfo> second)
@@ -95,6 +96,7 @@ namespace VeraCrypt
 		sr.Serialize ("VirtualDevice", wstring (VirtualDevice));
 		sr.Serialize ("VolumeCreationTime", VolumeCreationTime);
 		sr.Serialize ("Pim", Pim);
+		sr.Serialize ("MasterKeyVulnerable", MasterKeyVulnerable);
 	}
 
 	void VolumeInfo::Set (const Volume &volume)
@@ -119,6 +121,7 @@ namespace VeraCrypt
 		TotalDataRead = volume.GetTotalDataRead();
 		TotalDataWritten = volume.GetTotalDataWritten();
 		Pim = volume.GetPim ();
+		MasterKeyVulnerable = volume.IsMasterKeyVulnerable();
 	}
 
 	TC_SERIALIZER_FACTORY_ADD_CLASS (VolumeInfo);

src/Volume/VolumeInfo.h

@@ -61,7 +61,7 @@ namespace VeraCrypt
 		DevicePath VirtualDevice;
 		VolumeTime VolumeCreationTime;
 		int Pim;
-
+		bool MasterKeyVulnerable;
 	private:
 		VolumeInfo (const VolumeInfo &);
 		VolumeInfo &operator= (const VolumeInfo &);