Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: When encoding trumps encryption (or: the latest GnuPG issue) - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
When encoding trumps encryption (or: the latest GnuPG issue)
The latest GnuPG security advisory is, in the specific case of GnuPG, more of a "Human-Computer Interaction" than a security hole proper. The flaw is not in the encryption but in the way in which OpenPGP, a standard way of transmitting PGP-encrypted data, is interpreted by GnuPG "helpers" such as Enigmail and mail programs such as Evolution, KMail, etc.

An OpenPGP-compliant message can be made up of multiple sections, not all of which need to be signed or encrypted. The "helpers" and mail software do not use the GnuPG API correctly to interpret where the sections start and end leading to something called "injection" which is a fancy name for "adding untrusted data which is undetectable from trusted data".

Translated: you see the pretty icon telling you that the whole message is encrypted and signed whereas there is a section of it (text, image, binary, whatever) which isn't.

What if you use GnuPG "raw"? Well, the visual cues are insufficient even for an advanced user and this is why a new release of GnuPG is being distributed and relevant CVE numbers were issued.

To give you an idea of the extent of the issue here are the CVE numbers:
  • CVE-2007-1263 - for the visual distinction issues in GnuPG itself, all 4 attacks.
  • CVE-2007-1264 - Enigmail improper use of --status-fd
  • CVE-2007-1265 - KMail improper or non-existing use of --status-fd
  • CVE-2007-1266 - Evolution improper or non-existing use of --status-fd
  • CVE-2007-1267 - Sylpheed improper or non-existing use of --status-fd
  • CVE-2007-1268 - Mutt improper or non-existing use of --status-fd
  • CVE-2007-1269 - GNUMail improper or non-existing use of --status-fd
Please note that the list is not exhaustive, for example I use GPGMail for Apple's and I am yet to test if it is vulnerable.

28 Posts
Mar 7th 2007

Sign Up for Free or Log In to start participating in the conversation!