5929760 2001-01-08 15:58 +0100 /85 rader/ Michael Kjorling <michael@KJORLING.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-01-08 20:03 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: michael@KJORLING.COM Mottagare: Bugtraq (import) <14644> Ärende: Advisory: PGP 7.0 signature verification vulnerability ------------------------------------------------------------ From: Michael Kjorling <michael@KJORLING.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <5.0.2.1.2.20010108151035.00be6c70@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product: Pretty Good Privacy Severity: Medium to high Impact: Users with write access to signed exported key blocks may replace them with arbitrary keys without any warning being issued upon import of those keys Local: Yes Remote: No (though man-in-the-middle attacks is a possibility) Vendor status: Network Associates was contacted December 20; see below Confirmed vulnerable: PGP for Desktop Security, version 7.0.0.0 build 242, on Windows 2000 Suspected vulnerable: All versions of PGP 7.0 Confirmed not vulnerable: none Disclaimer: This information is provided "as is", with no warranties of any kind, either expressed or implied. It was discovered through trial and error; the source code has not been examined as it has been out of my reach. I take no responsibility for how the information contained within this advisory is utilized. Description: There seems to be a vulnerability in the key import code in PGP 7.0 on the Win32/Intel platform, causing a signature on a full exported and ASCII armored key block not to be checked when "Decrypt/Verify" is selected to import the key(s). This means that any signatures on the full exported key block is not checked, opening the possibility for anyone who have write access to the file to replace the keys without having to generate a new signature. Key signature verification, however, is not affected by this vulnerability. Exploit: Given the possibility to write to the PGP signed file containing the exported key(s), replace the keys without altering the signature. PGP will not warn the user upon import of the keys that the signature has become invalid. Man-in-the-middle attacks are also a possibility, given an eavesdropper listening on the communications channel and replacing the key material as it flows through the wires. Workaround: There is no known workaround, besides always verifying fingerprints with the owner of the key as well as not trusting keys that have no or just a few signatures. Vendor status: Network Associates was contacted by email to <pgpsupport@nai.com> as per instructions from their support department on December 20th, 2000, and they were advised that an advisory would be posted to Bugtraq on Jan 8. The email was encrypted with their "Software Release Key" which was the key I was pointed to when asking to whom I should encrypt the email, but I still have not heard back from them. Michael Kjörling michael@kjorling.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 Comment: All computers wait at the same speed. iQA/AwUBOlnVfSqje/2KcOM+EQLUgACePUxBaAKla2jBZzdquOeba3nESYYAoNdt 0vzBXN6YIZ1V50EboF4maM3/ =hJXy -----END PGP SIGNATURE----- (5929760) ------------------------------------------ Kommentar i text 5930626 av Adam Shostack <adam@HOMEPORT.ORG> 5930626 2001-01-08 14:31 -0500 /97 rader/ Adam Shostack <adam@HOMEPORT.ORG> Sänt av: joel@lysator.liu.se Importerad: 2001-01-09 00:17 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: adam@HOMEPORT.ORG Mottagare: Bugtraq (import) <14649> Kommentar till text 5929760 av Michael Kjorling <michael@KJORLING.COM> Ärende: Re: Advisory: PGP 7.0 signature verification vulnerability ------------------------------------------------------------ From: Adam Shostack <adam@HOMEPORT.ORG> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010108143127.A17371@weathership.homeport.org> Does this work if I put up a fake key on my website? If I put a fake key into the keyservers? How is that different from importing a signed, exported key from disk? Adam On Mon, Jan 08, 2001 at 03:58:58PM +0100, Michael Kjorling wrote: | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | Product: Pretty Good Privacy | Severity: Medium to high | Impact: Users with write access to signed exported key blocks may | replace them with arbitrary keys without any warning being issued | upon import of those keys | Local: Yes | Remote: No (though man-in-the-middle attacks is a possibility) | Vendor status: Network Associates was contacted December 20; see | below | | Confirmed vulnerable: PGP for Desktop Security, version 7.0.0.0 build | 242, on Windows 2000 | Suspected vulnerable: All versions of PGP 7.0 | Confirmed not vulnerable: none | | | Disclaimer: | | This information is provided "as is", with no warranties of any kind, | either expressed or implied. It was discovered through trial and | error; the source code has not been examined as it has been out of my | reach. I take no responsibility for how the information contained | within this advisory is utilized. | | | Description: | | There seems to be a vulnerability in the key import code in PGP 7.0 | on the Win32/Intel platform, causing a signature on a full exported | and ASCII armored key block not to be checked when "Decrypt/Verify" | is selected to import the key(s). This means that any signatures on | the full exported key block is not checked, opening the possibility | for anyone who have write access to the file to replace the keys | without having to generate a new signature. Key signature | verification, however, is not affected by this vulnerability. | | | Exploit: | | Given the possibility to write to the PGP signed file containing the | exported key(s), replace the keys without altering the signature. PGP | will not warn the user upon import of the keys that the signature has | become invalid. Man-in-the-middle attacks are also a possibility, | given an eavesdropper listening on the communications channel and | replacing the key material as it flows through the wires. | | | Workaround: | | There is no known workaround, besides always verifying fingerprints | with the owner of the key as well as not trusting keys that have no | or just a few signatures. | | | Vendor status: | | Network Associates was contacted by email to <pgpsupport@nai.com> as | per instructions from their support department on December 20th, | 2000, and they were advised that an advisory would be posted to | Bugtraq on Jan 8. The email was encrypted with their "Software | Release Key" which was the key I was pointed to when asking to whom I | should encrypt the email, but I still have not heard back from them. | | | | Michael Kjörling | michael@kjorling.com | | -----BEGIN PGP SIGNATURE----- | Version: PGP 7.0 | Comment: All computers wait at the same speed. | | iQA/AwUBOlnVfSqje/2KcOM+EQLUgACePUxBaAKla2jBZzdquOeba3nESYYAoNdt | 0vzBXN6YIZ1V50EboF4maM3/ | =hJXy | -----END PGP SIGNATURE----- -- "It is seldom that liberty of any kind is lost all at once." -Hume (5930626) ------------------------------------------