CVE-2015-7358 in Truecrypt
Summary
by MITRE
The IsDriveLetterAvailable method in Driver/Ntdriver.c in TrueCrypt 7.0, VeraCrypt before 1.15, and CipherShed, when running on Windows, does not properly validate drive letter symbolic links, which allows local users to mount an encrypted volume over an existing drive letter and gain privileges via an entry in the /GLOBAL?? directory.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/14/2025
The vulnerability described in CVE-2015-7358 represents a critical privilege escalation flaw affecting multiple disk encryption utilities including TrueCrypt 7.0, VeraCrypt versions prior to 1.15, and CipherShed on Windows systems. This vulnerability stems from improper validation of drive letter symbolic links within the driver component of these encryption tools, specifically in the IsDriveLetterAvailable method located in Driver/Ntdriver.c. The flaw enables local attackers to manipulate the system's drive letter assignment process and mount encrypted volumes over existing drive letters, creating a pathway for unauthorized privilege elevation.
The technical implementation of this vulnerability exploits the Windows kernel's handling of symbolic links within the GLOBAL?? namespace, which serves as a global namespace for device objects and drive letters. When the IsDriveLetterAvailable method fails to properly validate drive letter symbolic links, it allows malicious actors to create or manipulate entries in the /GLOBAL?? directory structure. This directory contains symbolic links that map drive letters to actual device objects, and the improper validation means that an attacker can potentially overwrite or hijack existing symbolic links that point to legitimate system drives or other critical volumes.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it provides attackers with the ability to gain unauthorized access to encrypted volumes that may contain sensitive data. The attack vector requires local system access, making it particularly dangerous in environments where users have legitimate access to systems but should not have elevated privileges. Once exploited, an attacker could mount an encrypted volume over a legitimate drive letter, potentially gaining access to system files, user data, or even administrative resources that were previously protected by the encryption layer. This vulnerability directly relates to CWE-264, which addresses permissions, privileges, and access controls, and aligns with ATT&CK technique T1068, which covers local privilege escalation through kernel exploits.
The exploitation of this vulnerability demonstrates a fundamental flaw in how these encryption utilities manage system resources and handle device namespace operations. The improper validation occurs at the driver level, where the system should enforce strict checks on drive letter assignments to prevent conflicts with existing system drives. This type of vulnerability represents a classic example of inadequate input validation and insufficient privilege separation in kernel-mode drivers, where the consequences of improper validation can extend far beyond the intended scope of the application. Security researchers have noted that such vulnerabilities are particularly challenging to detect and remediate because they operate at the kernel level where normal user-mode protections do not apply, making the proper implementation of access controls and validation mechanisms critical for system security. Organizations using affected versions of these encryption tools should immediately implement mitigations including updating to patched versions, implementing strict access controls, and monitoring for unauthorized drive letter assignments in system logs.