OpenPGP Protocol Vulnerability

Reference: CERT.be Advisory #2018-020
Version: 1.0
Reference: CVE-2018-12020
CVSS: Unknown at this time but ranked as critical
Affected software: GnuPG, Enigmail, GPGTools and Python-gnupg. All versions of GnuPG on all platforms, all mail clients and other applications which make use of GPG but are not utilizing GPGME library
Type: Signature / Encryption spoofing

Sources

https://neopg.io/blog/gpg-signature-spoof/#proof-of-concept-ii-signature...
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

Risks

The exploitation of this vulnerability by an attacker can spoof signature verification and as such give a false status message in regards to the validity of the signature and other parameters.

Description

The OpenPGP protocol allows to include the file name of the original input file into a signed or encrypted message. During decryption and verification the GPG tool can display a notice with that file name. Since this displayed file name is not sanitized and as such may include line feeds or other control characters, this can be used to inject control messages.

These status messages are parsed by programs to get information from GPG about the validity of a signature and other parameters. By using a made up file name in the message it is possible to fake status messages. Using this technique it is possible to fake the verification of a signed mail.

This vulnerability is not limited to e-mail security, since GnuPG is also used to secure backups, software updates in distributions, and source code in version control systems like Git.

Recommended actions

CERT.be recommends users to always keep their systems up to date. Please be advised that updates have already been released by GnuPG, Enigmail, GPGTools, Debian, Ubuntu, Fedora and SUSE. We expect others to follow soon. These updates fix the vulnerabilities in the different software packages.

Next to upgrading the software or libraries used for OpenPGP encryption/decryption, also make sure you don’t have verbose in gpg.conf and do not use gpg –-verbose on the command line.

If you are a developer, add –-no-verbose to all invocations of GPG and upgrade to Python-gnupg 0.4.3 or higher.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020