Implement detection of volumes with vulnerable XTS master key.

If vulnerability detected, a warning message is displayed during mount or backup/restore header, and changing the password is disallowed since it will not change the master key.
fzxx · Aug 1, 2024 · ed1263b · ed1263b
1 parent 6121ca0
commit ed1263b
Show file tree

Hide file tree

Showing 24 changed files with 186 additions and 7 deletions.
diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h
@@ -177,6 +177,7 @@ typedef struct
 	ULONG MaximumTransferLength;
 	ULONG MaximumPhysicalPages;
 	ULONG AlignmentMask;
+	BOOL VolumeMasterKeyVulnerable;
 } MOUNT_STRUCT;
 
 typedef struct
@@ -316,6 +317,8 @@ typedef struct
 	// is read-only (or mounted an outer/normal TrueCrypt volume as read only)
 	uint32 HiddenSysLeakProtectionCount;
 
+	BOOL MasterKeyVulnerable;
+
 } BootEncryptionStatus;
 
 

diff --git a/src/Common/BootEncryption.cpp b/src/Common/BootEncryption.cpp
@@ -1462,6 +1462,7 @@ namespace VeraCrypt
 		/* IMPORTANT: Do NOT add any potentially time-consuming operations to this function. */
 
 		BootEncryptionStatus status;
+		memset (&status, 0, sizeof(status));
 		CallDriver (TC_IOCTL_GET_BOOT_ENCRYPTION_STATUS, NULL, 0, &status, sizeof (status));
 		return status;
 	}
@@ -5401,6 +5402,10 @@ namespace VeraCrypt
 		int status = ReadVolumeHeader (!encStatus.HiddenSystem, header, oldPassword, old_pkcs5, old_pim, &cryptoInfo, NULL);
 		finally_do_arg (PCRYPTO_INFO, cryptoInfo, { if (finally_arg) crypto_close (finally_arg); });
 
+		// if the XTS master key is vulnerable, return error and do not allow the user to change the password since the master key will not be changed
+		if (cryptoInfo->bVulnerableMasterKey)
+			status = ERR_SYSENC_XTS_MASTERKEY_VULNERABLE;
+
 		if (status != 0)
 		{
 			handleError (hwndDlg, status, SRC_POS);

diff --git a/src/Common/Crypto.h b/src/Common/Crypto.h
@@ -277,6 +277,8 @@ typedef struct CRYPTO_INFO_t
 
 	uint32 SectorSize;
 
+	BOOL bVulnerableMasterKey; // TRUE if XTS primary key is identical to secondary key (i.e. the volume is vulnerable to attack on XTS mode)
+
 #endif // !TC_WINDOWS_BOOT
 
 	UINT64_STRUCT VolumeSize;

diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c
@@ -5577,6 +5577,14 @@ void handleError (HWND hwndDlg, int code, const char* srcPos)
 		break;
 #endif
 
+	case ERR_XTS_MASTERKEY_VULNERABLE:
+		MessageBoxW (hwndDlg, AppendSrcPos (GetString ("ERR_XTS_MASTERKEY_VULNERABLE"), srcPos).c_str(), lpszTitle, ICON_HAND);
+		break;
+
+	case ERR_SYSENC_XTS_MASTERKEY_VULNERABLE:
+		MessageBoxW (hwndDlg, AppendSrcPos (GetString ("ERR_SYSENC_XTS_MASTERKEY_VULNERABLE"), srcPos).c_str(), lpszTitle, ICON_HAND);
+		break;
+
 	default:
 		StringCbPrintfW (szTmp, sizeof(szTmp), GetString ("ERR_UNKNOWN"), code);
 		MessageBoxW (hwndDlg, AppendSrcPos (szTmp, srcPos).c_str(), lpszTitle, ICON_HAND);
@@ -8953,6 +8961,12 @@ int MountVolume (HWND hwndDlg,
 
 	LastMountedVolumeDirty = mount.FilesystemDirty;
 
+	if (mount.VolumeMasterKeyVulnerable
+		&& !Silent)
+	{
+		Warning ("ERR_XTS_MASTERKEY_VULNERABLE", hwndDlg);
+	}
+
 	if (mount.FilesystemDirty)
 	{
 		wchar_t msg[1024];

diff --git a/src/Common/Language.xml b/src/Common/Language.xml
@@ -1638,6 +1638,9 @@
     <entry lang="en" key="LINUX_LANGUAGE">Language</entry>
     <entry lang="en" key="LINUX_SELECT_SYS_DEFAULT_LANG">Select system's default language</entry>
     <entry lang="en" key="LINUX_RESTART_FOR_LANGUAGE_CHANGE">For the language change to come into effect, VeraCrypt needs to be restarted.</entry>
+    <entry lang="en" key="ERR_XTS_MASTERKEY_VULNERABLE">WARNING: The volume's master key is vulnerable to an attack that compromises data security.\n\nPlease create a new volume and transfer the data to it.</entry>
+    <entry lang="en" key="ERR_SYSENC_XTS_MASTERKEY_VULNERABLE">WARNING: The encrypted system's master key is vulnerable to an attack that compromises data security.\nPlease decrypt the system partition/drive and then re-encrypt it.</entry>
+    <entry lang="en" key="ERR_XTS_MASTERKEY_VULNERABLE_SHORT">WARNING: The volume's master key has a security vulnerability.</entry>
   </localization>
   <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
     <xs:element name="VeraCrypt">

diff --git a/src/Common/Password.c b/src/Common/Password.c
@@ -371,6 +371,10 @@ int ChangePwd (const wchar_t *lpszVolume, Password *oldPassword, int old_pkcs5,
 		if (nStatus == ERR_CIPHER_INIT_WEAK_KEY)
 			nStatus = 0;	// We can ignore this error here
 
+		// if the XTS master key is vulnerable, return error and do not allow the user to change the password since the master key will not be changed
+		if (cryptoInfo->bVulnerableMasterKey)
+			nStatus = ERR_XTS_MASTERKEY_VULNERABLE;
+
 		if (nStatus == ERR_PASSWORD_WRONG)
 		{
 			continue;		// Try next volume type

diff --git a/src/Common/Tcdefs.h b/src/Common/Tcdefs.h
@@ -494,7 +494,9 @@ enum
 	ERR_NONSYS_INPLACE_ENC_INCOMPLETE		= 32,
 	ERR_USER_ABORT							= 33,
 	ERR_RAND_INIT_FAILED					= 34,
-	ERR_CAPI_INIT_FAILED					= 35
+	ERR_CAPI_INIT_FAILED					= 35,
+	ERR_XTS_MASTERKEY_VULNERABLE			= 36,
+	ERR_SYSENC_XTS_MASTERKEY_VULNERABLE			= 37
 };
 
 #endif 	// #ifndef TCDEFS_H
diff --git a/src/Common/Volumes.c b/src/Common/Volumes.c
@@ -597,6 +597,14 @@ KeyReady:	;
 					goto err;
 				}
 
+				// check that first half of keyInfo.master_keydata is different from the second half. If they are the same return error
+				if (memcmp (keyInfo->master_keydata, keyInfo->master_keydata + EAGetKeySize (cryptoInfo->ea), EAGetKeySize (cryptoInfo->ea)) == 0)
+				{
+					cryptoInfo->bVulnerableMasterKey = TRUE;
+					if (retHeaderCryptoInfo)
+						retHeaderCryptoInfo->bVulnerableMasterKey = TRUE;
+				}
+
 				status = ERR_SUCCESS;
 				goto ret;
 			}

diff --git a/src/Core/Core.h b/src/Core/Core.h
@@ -82,9 +82,13 @@ namespace VeraCrypt
 		shared_ptr <Pkcs5Kdf> m_newPkcs5Kdf;
 		int m_wipeCount;
 		bool m_emvSupportEnabled;
-		ChangePasswordThreadRoutine(shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount, bool emvSupportEnabled) : m_volumePath(volumePath), m_preserveTimestamps(preserveTimestamps), m_password(password), m_pim(pim), m_kdf(kdf), m_keyfiles(keyfiles), m_newPassword(newPassword), m_newPim(newPim), m_newKeyfiles(newKeyfiles), m_newPkcs5Kdf(newPkcs5Kdf), m_wipeCount(wipeCount), m_emvSupportEnabled(emvSupportEnabled)  {}
+		bool m_masterKeyVulnerable;
+		ChangePasswordThreadRoutine(shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount, bool emvSupportEnabled) : m_volumePath(volumePath), m_preserveTimestamps(preserveTimestamps), m_password(password), m_pim(pim), m_kdf(kdf), m_keyfiles(keyfiles), m_newPassword(newPassword), m_newPim(newPim), m_newKeyfiles(newKeyfiles), m_newPkcs5Kdf(newPkcs5Kdf), m_wipeCount(wipeCount), m_emvSupportEnabled(emvSupportEnabled), m_masterKeyVulnerable(false)  {}
 		virtual ~ChangePasswordThreadRoutine() { }
-		virtual void ExecutionCode(void) { Core->ChangePassword(m_volumePath, m_preserveTimestamps, m_password, m_pim, m_kdf, m_keyfiles, m_newPassword, m_newPim, m_newKeyfiles, m_emvSupportEnabled, m_newPkcs5Kdf, m_wipeCount); }
+		virtual void ExecutionCode(void) { 
+			shared_ptr <Volume> openVolume = Core->ChangePassword(m_volumePath, m_preserveTimestamps, m_password, m_pim, m_kdf, m_keyfiles, m_newPassword, m_newPim, m_newKeyfiles, m_emvSupportEnabled, m_newPkcs5Kdf, m_wipeCount); 
+			m_masterKeyVulnerable = openVolume->IsMasterKeyVulnerable();
+		}
 	};
 
 	class OpenVolumeThreadRoutine : public WaitThreadRoutine

diff --git a/src/Core/CoreBase.cpp b/src/Core/CoreBase.cpp
@@ -77,10 +77,11 @@ namespace VeraCrypt
 		}
 	}
 
-	void CoreBase::ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount) const
+	shared_ptr <Volume> CoreBase::ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount) const
 	{
 		shared_ptr <Volume> volume = OpenVolume (volumePath, preserveTimestamps, password, pim, kdf, keyfiles, emvSupportEnabled);
 		ChangePassword (volume, newPassword, newPim, newKeyfiles, emvSupportEnabled, newPkcs5Kdf, wipeCount);
+		return volume;
 	}
 
 	void CoreBase::CoalesceSlotNumberAndMountPoint (MountOptions &options) const

diff --git a/src/Core/CoreBase.h b/src/Core/CoreBase.h
@@ -34,7 +34,7 @@ namespace VeraCrypt
 		virtual ~CoreBase ();
 
 		virtual void ChangePassword (shared_ptr <Volume> openVolume, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf = shared_ptr <Pkcs5Kdf> (), int wipeCount = PRAND_HEADER_WIPE_PASSES) const;
-		virtual void ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf = shared_ptr <Pkcs5Kdf> (), int wipeCount = PRAND_HEADER_WIPE_PASSES) const;
+		virtual shared_ptr <Volume> ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf = shared_ptr <Pkcs5Kdf> (), int wipeCount = PRAND_HEADER_WIPE_PASSES) const;
 		virtual void CheckFilesystem (shared_ptr <VolumeInfo> mountedVolume, bool repair = false) const = 0;
 		virtual void CoalesceSlotNumberAndMountPoint (MountOptions &options) const;
 		virtual void CreateKeyfile (const FilePath &keyfilePath) const;

diff --git a/src/Driver/DriveFilter.c b/src/Driver/DriveFilter.c
@@ -522,10 +522,16 @@ static NTSTATUS MountDrive (DriveFilterExtension *Extension, Password *password,
 
 	if (ReadVolumeHeader (!hiddenVolume, header, password, pkcs5_prf, pim, &Extension->Queue.CryptoInfo, Extension->HeaderCryptoInfo) == 0)
 	{
-		// Header decrypted
+		// Header decrypted		
 		status = STATUS_SUCCESS;
 		Dump ("Header decrypted\n");
 
+		if (Extension->HeaderCryptoInfo->bVulnerableMasterKey)
+		{
+			// The volume header master key is vulnerable
+			Dump ("The volume header master key is vulnerable\n");
+		}
+
 		// calculate Fingerprint
 		ComputeBootLoaderFingerprint (Extension->LowerDeviceObject, header);
 
@@ -2017,6 +2023,7 @@ void GetBootEncryptionStatus (PIRP irp, PIO_STACK_LOCATION irpSp)
 			bootEncStatus->ConfiguredEncryptedAreaStart = Extension->ConfiguredEncryptedAreaStart;
 			bootEncStatus->ConfiguredEncryptedAreaEnd = Extension->ConfiguredEncryptedAreaEnd;
 			bootEncStatus->EncryptedAreaStart = Extension->Queue.EncryptedAreaStart;
+			bootEncStatus->MasterKeyVulnerable = Extension->HeaderCryptoInfo->bVulnerableMasterKey;
 
 			if (SetupInProgress)
 			{

diff --git a/src/Driver/Ntvol.c b/src/Driver/Ntvol.c
@@ -89,6 +89,7 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
 
 	mount->VolumeMountedReadOnlyAfterDeviceWriteProtected = FALSE;
 	mount->VolumeMountedReadOnlyAfterPartialSysEnc = FALSE;
+	mount->VolumeMasterKeyVulnerable = FALSE;
 
 	// If we are opening a device, query its size first
 	if (bRawDevice)
@@ -648,6 +649,9 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
 			Dump ("Volume header decrypted\n");
 			Dump ("Required program version = %x\n", (int) Extension->cryptoInfo->RequiredProgramVersion);
 			Dump ("Legacy volume = %d\n", (int) Extension->cryptoInfo->LegacyVolume);
+			Dump ("Master key vulnerable = %d\n", (int) Extension->cryptoInfo->bVulnerableMasterKey);
+
+			mount->VolumeMasterKeyVulnerable = Extension->cryptoInfo->bVulnerableMasterKey;
 
 			if (IsHiddenSystemRunning() && !Extension->cryptoInfo->hiddenVolume)
 			{

diff --git a/src/ExpandVolume/ExpandVolume.c b/src/ExpandVolume/ExpandVolume.c
@@ -691,6 +691,12 @@ static int ExpandVolume (HWND hwndDlg, wchar_t *lpszVolume, Password *pVolumePas
 	if (nStatus == ERR_CIPHER_INIT_WEAK_KEY)
 		nStatus = 0;	// We can ignore this error here
 
+	// if the volume master key is vulnerable, print a warning to inform the user
+	if (cryptoInfo->bVulnerableMasterKey)
+	{
+		DebugAddProgressDlgStatus(hwndDlg, GetString ("ERR_XTS_MASTERKEY_VULNERABLE_SHORT"));
+	}
+
 	if (nStatus != 0)
 	{
 		cryptoInfo = NULL;

diff --git a/src/Main/Forms/ChangePasswordDialog.cpp b/src/Main/Forms/ChangePasswordDialog.cpp
@@ -171,6 +171,7 @@ namespace VeraCrypt
 			RandomNumberGenerator::SetEnrichedByUserStatus (false);
 			Gui->UserEnrichRandomPool (this, NewPasswordPanel->GetPkcs5Kdf() ? NewPasswordPanel->GetPkcs5Kdf()->GetHash() : shared_ptr <Hash>());
 
+			bool masterKeyVulnerable = false;
 			{
 #ifdef TC_UNIX
 				// Temporarily take ownership of a device if the user is not an administrator
@@ -193,6 +194,7 @@ namespace VeraCrypt
 					CurrentPasswordPanel->GetPassword(), CurrentPasswordPanel->GetVolumePim(), CurrentPasswordPanel->GetPkcs5Kdf(), CurrentPasswordPanel->GetKeyfiles(),
 					newPassword, newPim, newKeyfiles, NewPasswordPanel->GetPkcs5Kdf(), NewPasswordPanel->GetHeaderWipeCount(), Gui->GetPreferences().EMVSupportEnabled);
 				Gui->ExecuteWaitThreadRoutine (this, &routine);
+				masterKeyVulnerable = routine.m_masterKeyVulnerable;
 			}
 
 			switch (DialogMode)
@@ -214,6 +216,9 @@ namespace VeraCrypt
 				throw ParameterIncorrect (SRC_POS);
 			}
 
+			if (masterKeyVulnerable)
+				Gui->ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+
 			EndModal (wxID_OK);
 		}
 		catch (UnportablePassword &e)

diff --git a/src/Main/GraphicUserInterface.cpp b/src/Main/GraphicUserInterface.cpp
@@ -191,6 +191,7 @@ namespace VeraCrypt
 		hiddenVolumeMountOptions.Path = volumePath;
 
 		VolumeType::Enum volumeType = VolumeType::Normal;
+		bool masterKeyVulnerable = false;
 
 		// Open both types of volumes
 		while (true)
@@ -273,6 +274,13 @@ namespace VeraCrypt
 				}
 			}
 
+			// check if volume master key is vulnerable
+			if (volume->IsMasterKeyVulnerable())
+			{
+				masterKeyVulnerable = true;
+				ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+			}
+
 			if (volumeType == VolumeType::Hidden)
 				hiddenVolume = volume;
 			else
@@ -366,6 +374,10 @@ namespace VeraCrypt
 		}
 
 		ShowWarning ("VOL_HEADER_BACKED_UP");
+
+		// display again warning that master key is vulnerable
+		if (masterKeyVulnerable)
+			ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
 	}
 
 	void GraphicUserInterface::BeginInteractiveBusyState (wxWindow *window)
@@ -1440,6 +1452,7 @@ namespace VeraCrypt
 		/* force the display of the random enriching interface */
 		RandomNumberGenerator::SetEnrichedByUserStatus (false);
 
+		bool masterKeyVulnerable = false;
 		if (restoreInternalBackup)
 		{
 			// Restore header from the internal backup
@@ -1492,6 +1505,8 @@ namespace VeraCrypt
 				return;
 			}
 
+			masterKeyVulnerable = volume->IsMasterKeyVulnerable();
+
 			RandomNumberGenerator::Start();
 			UserEnrichRandomPool (nullptr);
 
@@ -1590,6 +1605,7 @@ namespace VeraCrypt
 
 						if (decryptRoutine.m_bResult)
 						{
+							masterKeyVulnerable = layout->GetHeader()->IsMasterKeyVulnerable();
 							decryptedLayout = layout;
 							break;
 						}
@@ -1645,6 +1661,12 @@ namespace VeraCrypt
 		}
 
 		ShowInfo ("VOL_HEADER_RESTORED");
+
+		// display warning if the volume master key is vulnerable
+		if (masterKeyVulnerable)
+		{
+			ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+		}
 	}
 
 	DevicePath GraphicUserInterface::SelectDevice (wxWindow *parent) const

diff --git a/src/Main/TextUserInterface.cpp b/src/Main/TextUserInterface.cpp
@@ -314,6 +314,7 @@ namespace VeraCrypt
 		hiddenVolumeMountOptions.EMVSupportEnabled = true;
 
 		VolumeType::Enum volumeType = VolumeType::Normal;
+		bool masterKeyVulnerable = false;
 
 		// Open both types of volumes
 		while (true)
@@ -387,6 +388,13 @@ namespace VeraCrypt
 				}
 			}
 
+			// check if volume master key is vulnerable
+			if (volume->IsMasterKeyVulnerable())
+			{
+				masterKeyVulnerable = true;
+				ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+			}
+
 			if (volumeType == VolumeType::Hidden)
 				hiddenVolume = volume;
 			else
@@ -454,6 +462,10 @@ namespace VeraCrypt
 
 		ShowString (L"\n");
 		ShowInfo ("VOL_HEADER_BACKED_UP");
+
+		// display again warning that master key is vulnerable
+		if (masterKeyVulnerable)
+			ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
 	}
 
 	void TextUserInterface::ChangePassword (shared_ptr <VolumePath> volumePath, shared_ptr <VolumePassword> password, int pim, shared_ptr <Hash> currentHash, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Hash> newHash) const
@@ -532,6 +544,12 @@ namespace VeraCrypt
 			break;
 		}
 
+		// display warning if volume master key is vulnerable
+		if (volume->IsMasterKeyVulnerable())
+		{
+			ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+		}
+
 		// New password
 		if (!newPassword.get() && !Preferences.NonInteractive)
 			newPassword = AskPassword (_("Enter new password"), true);
@@ -1539,6 +1557,7 @@ namespace VeraCrypt
 		/* force the display of the random enriching interface */
 		RandomNumberGenerator::SetEnrichedByUserStatus (false);
 
+		bool masterKeyVulnerable = false;
 		if (restoreInternalBackup)
 		{
 			// Restore header from the internal backup
@@ -1586,6 +1605,8 @@ namespace VeraCrypt
 				throw_err (LangString ["VOLUME_HAS_NO_BACKUP_HEADER"]);
 			}
 
+			masterKeyVulnerable = volume->IsMasterKeyVulnerable();
+
 			RandomNumberGenerator::Start();
 			UserEnrichRandomPool();
 
@@ -1673,6 +1694,7 @@ namespace VeraCrypt
 						if (layout->GetHeader()->Decrypt (headerBuffer, *passwordKey, options.Pim, kdf, layout->GetSupportedKeyDerivationFunctions(), layout->GetSupportedEncryptionAlgorithms(), layout->GetSupportedEncryptionModes()))
 						{
 							decryptedLayout = layout;
+							masterKeyVulnerable = layout->GetHeader()->IsMasterKeyVulnerable();
 							break;
 						}
 					}
@@ -1723,6 +1745,11 @@ namespace VeraCrypt
 
 		ShowString (L"\n");
 		ShowInfo ("VOL_HEADER_RESTORED");
+		// display warning if the volume master key is vulnerable
+		if (masterKeyVulnerable)
+		{
+			ShowWarning ("ERR_XTS_MASTERKEY_VULNERABLE");
+		}
 	}
 
 	void TextUserInterface::SetTerminalEcho (bool enable)