The first vulnerability advisory affecting Data Encryption Systems DESlock+ has been released in the hope that a two and a half year old vulnerability will finally be fixed.
The vulnerability in question exists due to the improper validation of a user-supplied pointer within a structure passed as argument to the IOCTL interface exported from the globally accessible “\\.\DLPTokenWalter0” device. An attacker exploiting this vulnerability may execute arbitrary code with kernel mode privileges, or cause a Denial of Service attack via a page fault caused by an invalid pointer dereference. All version of DESLock+ are affected, including the CESG CCTM (http://www.cctmark.gov.uk/) approved version (v3.2.7), however, it should be noted that whilst Data Encryption Systems Ltd continue to tout the CCTM accreditation, the accreditation itself expired in May 2010.
Data Encryption Systems Ltd received the best “Encryption Solution of the Year” at “The Computing Security Awards 2010″ (http://www.computingsecurityawards.co.uk/).