Info

Disclosure

Apr 30, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

TrueCrypt contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is caused by the unsafe use of the 'execvp()' function to execute external commands without sanitising the user's current PATH settings. This flaw may lead to a loss of integrity.

Classification

Location: Local Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 4.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

TrueCrypt

4.1

References

Secunia Advisory ID: 19903
CVE ID: 2006-2183 (see also: NVD)
VUPEN Advisory: ADV-2006-1591
Other Advisory URL: http://lists.immunitysec.com/pipermail/dailydave/2006-April/003152.html
Vendor URL: http://www.truecrypt.org/
Vendor Specific News/Changelog Entry: http://www.truecrypt.org/history.php

Credit

Julien Tinnes - julien.tinnesfrancetelecom.com -

Direct URL: http://osvdb.org/25131