Core Security Technologies Uncovers Vulnerability in Widely-Used Open Source Encryption Software

Core Security Technologies Uncovers Vulnerability in Widely-Used Open Source Encryption Software

Newly-Discovered Flaw in GNU Privacy Guard Allows Attacker to Manipulate Content within Encrypted, Signed Messages; Numerous Email Systems Vulnerable

Core Security Technologies, provider of CORE IMPACT, the first-to-market penetration testing product for assessing specific information security risks, today issued an advisory disclosing a flaw in the GNU Privacy Guard (GnuPG or GPG), an OpenPGP-compliant cryptographic software system and part of the Free Software Foundation’s GNU software project, and third-party email applications that rely on it for encrypted and signed email communications. CoreLabs, the research arm of Core Security, discovered that by exploiting this vulnerability an attacker can add arbitrary content to encrypted and/or signed emails in order to mislead recipients about the trustworthiness of a message. In addition, attackers can use this flaw to bypass content-filtering defenses (e.g., anti-spam mechanisms), which makes it particularly inconvenient to detect phishing attacks.

This vulnerability impacts users of a broad range of open-source email client software programs, including KMail, Evolution, Sylpheed, Mutt and GNUMail. The vulnerability also affects Enigmail, an extension to the mail client of Mozilla/Netscape and Mozilla Thunderbird that allows users to access the authentication and encryption features provided by GnuPG. Enigmail and GnuPG have released new versions of their software to address this vulnerability. CoreLabs has also published a workaround to help users to detect and prevent exploitation.

“This vulnerability is a good example of how very subtle implementation decisions on how to interface data communications between two applications, in this case email front-end extensions and GnuPG, can end up exposing end users to unexpected security weaknesses.” said Iván Arce, CTO at Core Security Technologies. “We continue to encourage and support the use of GnuPG as a convenient way to improve the security and privacy of communications. To that effect and to prevent traffic analysis attacks we also recommend that encryption should be turned on by default on every email.”

Vulnerability Specifics:

CoreLabs discovered that the scripts and applications using GnuPG are prone to a vulnerability involving incorrect verification of signatures. Unsuspecting users reading a GPG encrypted and/or signed email, using a mail client or encryption extension, are led to believe that the entire message was signed by the sender when, in fact, an arbitrary portion of the content may have been inserted by an attacker. In some cases, the attacker may completely hide the signed portion of a message and present the user with only the forged portion. It is important to note that this is not a cryptographic problem. It affects how information is presented to the user and how third-party applications interact with GnuPG.

This attack method infects systems using:
GnuPG 1.4.6 and previous versions
Enigmail 0.94.2 and previous versions
KMail 1.9.5 and previous versions
Evolution 2.8.1 and previous versions
Sylpheed 2.2.7 and previous versions
Mutt 1.5.13 and previous versions
GNUMail 1.1.2 and previous versions
Other scripts and applications using GnuPG may be vulnerable

To address this vulnerability, users of scripts and applications using GnuPG should immediately upgrade to the latest versions of GnuPG and Enigmail, which are available at:
GnuPG 1.4.7: http://www.gnupg.org/
Enigmail 0.94.3: http://enigmail.mozdev.org/

Additionally, Core Security recommends the following workaround:

If a signed message looks suspicious, the validity of the signature can be verified by manually invoking GnuPG from the command line and adding the special option “–status-fd” to gain extra information.

For more information about this vulnerability and the systems affected, please visit: www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1687.

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.

About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company’s flagship product, CORE IMPACT, is the first automated penetration testing product for assessing specific information security threats to an organization. Penetration testing evaluates overall network security and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing, software security auditing and related training. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
Contacts

Schwartz Communications
Dave Bowker or Tiffany Archambault, 781-684-0770
coresecurity {at} schwartz-pr(.)com