 |
|
|
|
| Ivan Arce | |
|
|
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
Researchers at Core Security Inc. have identified a flaw in the GNU Privacy Guard cryptographic system that allows an attacker to insert his own text into a GnuPG-signed message, or even completely replace the original text of the signed message.
The vulnerability is not in the encryption algorithm itself, but rather in the way that GnuPG interacts with the third-party applications that use it. The list of affected mail packages is extensive, and includes GNUMail, KMail, Enigmail and Mutt, among many others.
The Free Software Foundation, which maintains GnuPG, has released a new version of the program and has posted an advisory about the problem on its site. The FSF decided to release its own fix rather than have each of the third-party developers patch their applications because of the large number of applications the vulnerability affects.
|  | ||||||||||||||||
| |||||||||||||||||
The SANS Internet Storm Center also has posted an advisory about the GnuPG problem .
The vulnerability lies in the way that GnuPG communicates with the mail programs that use it to encrypt and sign messages. GnuPG, which is based in the OpenPGP standard, contains an API that mail applications and other programs use to interpret where each of the various sections of a GnuPG-signed message begins and ends.
The applications make the wrong assumptions when interpreting that data, said Ivan Arce, chief technology officer of Boston-based Core, and as a result, attackers can insert their own text into a message that already has been signed. Alternately, an attacker could replace the entire signed message with his own message, Arce said.
"This is very simple to exploit," he said. "The attacker needs to get a mail message that's signed by the sender, then attach his text and send it to the destination. Whoever receives the message will trust it because it's been signed. It's quite easy to do."
GnuPG is widely used by open-source email applications and other programs that require encryption, and not just in the Windows world. For example, there is a plug-in called GPGMail that can be used to send and receive encrypted messages via the mail client in Apple Computer Corp.'s Mac OS X operating system.
Arce emphasized that this flaw in no way affects the actual encryption in GnuPG, but said that it is a good example of how the interactions between applications can lead to results that were unforeseen by the applications' respective developers.
"Both programs actually do things right for the most part, but when they interact with each other, they make the wrong assumptions," Arce said. "The user doesn't see the stuff in the background. All they see is the result."