CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-2884
https://notcve.org/view.php?id=CVE-2014-2884
The ProcessVolumeDeviceControlIrp function in Ntdriver.c in TrueCrypt 7.1a allows local users to bypass access restrictions and obtain sensitive information about arbitrary files via a (1) TC_IOCTL_OPEN_TEST or (2) TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG IOCTL call. La función ProcessVolumeDeviceControlIrp en Ntdriver.c en TrueCrypt 7.1a permite que usuarios locales omitan las restricciones de acceso y obtengan información sensible sobre archivos arbitrarios mediante una llamada (1) TC_IOCTL_OPEN_TEST o (2) TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG IOCTL. • http://www.openwall.com/lists/oss-security/2014/04/17/7 https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-2885
https://notcve.org/view.php?id=CVE-2014-2885
Multiple integer overflows in TrueCrypt 7.1a allow local users to (1) obtain sensitive information via vectors involving a crafted item->OriginalLength value in the MainThreadProc function in EncryptedIoQueue.c or (2) cause a denial of service (memory consumption) via vectors involving large StartingOffset and Length values in the ProcessVolumeDeviceControlIrp function in Ntdriver.c. Múltiples desbordamientos de enteros en TrueCrypt 7.1a permiten que usuarios locales (1) obtengan información sensible mediante vectores relacionados con un valor item->OriginalLength manipulado en la función MainThreadProc en EncryptedIoQueue.c o (2) provoquen una denegación de servicio (consumo de memoria) mediante vectores relacionados con valores StartingOffset y Length grandes en la función ProcessVolumeDeviceControlIrp en Ntdriver.c. • http://www.openwall.com/lists/oss-security/2014/04/17/7 https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf • CWE-190: Integer Overflow or Wraparound CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-400: Uncontrolled Resource Consumption •