The first vulnerability advisory, albeit covering many vulnerabilities in and of itself, affecting Securstar DriveCrypt has been released.
The vulnerability in question exists due to the improper validation of a user-supplied pointer within a structure passed as argument to the IOCTL interface exported from the globally accessible “\\.\DCR” device. An attacker exploiting this vulnerability may execute arbitrary code with kernel mode privileges, or cause a Denial of Service attack via a page fault caused by an invalid pointer dereference. All versions of Securstar DriveCrypt <= 5.2 are affected.
Whilst Digit Security typically waits for vendors to release verifiable patches for the issues and vulnerabilities we discover, the following comment from Securstar should be noted with respect to some of the fixes applied in the latest version of DriveCrypt:
“The user mode app still leverages the driver for some of the I/O, but in a way which cannot be exploited as easily as before, without some prior transient elevation to admin level. I am still checing [sic] a couple of aspects to be sure it is reasonably secure, IE less easy to exploit.”