Description of Issue in Key Derivation Functions
DataVault software versions 6 and 7.1, and their derivatives, employ a one-way cryptographic hash with a predictable salt, making it vulnerable to dictionary-type attacks by a malicious user. The software also made use of a password hash with an insufficient computational effort that would allow a sophisticated attacker to brute force user passwords, and potentially lead to unauthorized access and improper use of user data.
Both of the key derivation function issues in v.7 described above have been resolved in the updated version DataVault 7.2.1
There have never been any reports from DataVault users of any data security leak or failure, or of any event that could lead to the conclusion that these key derivation function issues have resulted in the unauthorized access to, or illicit use of, any customer data.
While these issues present a narrow risk, in order to ensure total integrity of data we urge users of DataVault 7 to download and install version 7.2.1 immediately. As with any update, it is best to back up your data before installing the upgrade. Back up your Secure Folder data by opening the Secure Settings Menu in each folder.
After updating your installed DataVault to v 7.2.1, you should change your license account password.
DataVault 6 Users
We strongly recommend that users of DataVault 6 download and install DataVault 7.2.1. Since this is an upgrade and not an update, a new license is required in order to activate the v. 7.2.1 software.
Your existing DataVault 6 Vault should integrate into the DataVault 7 user interface automatically, however, you should back up your Vault folder before installing the upgrade, using the built-in Backup function in the program's Tools menu.
When purchasing your DataVault 7 license, you will be establishing a new password to use for accessing the Secure Folders you create in the program.
The key derivation function issues have been addressed by using PBKDF2-SHA256 together with a randomly generated salt.
CVE Number: CVE-2021-36750
On behalf of all partners, ENC Security would like to thank Sylvain Pelissier for reporting this issue.