SigSpoof: A security researcher has discovered a critical vulnerability affecting some of the most popular prolettere-mails that use the OpenPGP standard to encrypt messages.
The revelation comes nearly a month after a discovery vulnerabilities in encryption tools PGP and S / Mime. These vulnerabilities could allow attackers to read encrypted messages.
Software developer Marcus Brinkmann discovered a new vulnerability called SigSpoof. SigSpoof allows attackers to forge digital signatures with the public key without the need for a private key.
Vulnerability has been described as CVE-2018-12020, and affects many popular email applications: GnuPG, Enigmail, GPGTools and python-gnupg. All applications have now been updated.
As the researcher reports, the OpenPGP protocol allows the inclusion of the “filename” parameter of the initial archivey input the signed or encrypted messages by concatenating them with GnuPG status messages, adding a predefined keyword that you use to separate them.
"These status messages are analyzed by programs to receive information from gpg about the validity of a digital signature and other parameters," GnuPG developer Werner Koch said in a statement released today.
When decrypting the message on the recipient's computer, the application splits the information using the specific keyword and displays the message validly signed if the user has the option enabled in the gpg.conf file.
However, the researcher found that the included filename, (which can be up to 255 characters long), is not properly handled by the vulnerable applications, thus allowing an attacker to "include feeds or some code which allows him to gain control.”
Ο Brinkman shared three PoCs that show how signatures can be forged in Enigmail and GPGTools and how a signature can be forged from the command line.
Those of you who use the above applications should immediately upgrade to the new versions:
____________________________
- Gmail Do you know that you have two different addresses?
- ShareTube: Watch YouTube videos in sync with your friends
- LaZagneForensic: Find the saved passwords
