CoreLabs Detects Flaw In GnuPG By CXOtoday Staff Mumbai, Mar 9, 2007
Core Security Technologies has issued an advisory disclosing a flaw in the GNU Privacy Guard (GnuPG or GPG). It is an OpenPGP- compliant cryptographic software system and is a part of the Free Software Foundation's (FSF) GNU software project, and third-party email applications that rely on it for encrypted and signed email communications. CoreLabs, the research arm of Core Security, discovered this by exploiting the vulnerability. According to the press release, issued by Core Security, an attacker can add arbitrary content to encrypted and/or signed emails in order to mislead recipients about the trustworthiness of a message. In addition, attackers can use this flaw to bypass content-filtering defenses, which makes it particularly inconvenient to detect phishing attacks. The company discovered that the scripts and applications using GnuPG are prone to a vulnerability involving incorrect verification of signatures. Unsuspecting users reading a GPG encrypted and/or signed email, using a mail client or encryption extension, are led to believe that the entire message was signed by the sender when, in fact, an arbitrary portion of the content may have been inserted by an attacker. In some cases, the attacker may completely hide the signed portion of a message and present the user with only the forged portion. It should be noted that this is not a cryptographic problem. It affects how information is presented to the user and how third-party applications interact with GnuPG. This attack method infects systems using: *GnuPG 1.4.6 and previous versions *Enigmail 0.94.2 and previous versions *KMail 1.9.5 and previous versions *Evolution 2.8.1 and previous versions *Sylpheed 2.2.7 and previous versions *Mutt 1.5.13 and previous versions *GNUMail 1.1.2 and previous versions *Other scripts and applications using GnuPG may be vulnerable To address this vulnerability, users of scripts and applications using GnuPG should immediately upgrade to the latest versions of GnuPG and Enigmail. Additionally, Core Security recommends that, if a signed message looks suspicious, the validity of the signature can be verified by manually invoking GnuPG from the command line and adding the special option "--status-fd" to gain extra information. "This vulnerability is a good e.g. of how very subtle implementation decisions on how to interface data communications between two applications, in this case email front-end extensions and GnuPG, can end up exposing end users to unexpected security weaknesses," said Iv n Arce, CTO, Core Security Technologies. "We continue to encourage and support the use of GnuPG as a convenient way to improve the security and privacy of communications. To that effect and to prevent traffic analysis attacks, we also recommend that encryption should be turned on by default on every email." ------------------------------------------------------------------------ ----------------- Eric ------------------------------------- Eric Robinson Business Application Advisor FedEx Corporate Services Internet Engineering & EC Integration 901.263.5749 ------------------------------------- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
