Slashdot Mirror
Security Flaw Discovered in GPG
WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."
A serious security issue in GPG! We are all doomed!
;)
what is GPG?
Yeah, I will go RTFA. However, summaries that assume you are familiar with an acronym are rude, IMHO
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Its a good thing I don't use GPG to sign my emails. Oh wait.
For all the tinfoil hat people out there, I propose that the bug may have been placed intentionally, since GnuPG is, in fact, an opensource community project. So instead of taking hours to obtain a GPG key, the NSA could spend seconds and impersonate an otherwise [strike]paranoid[/strike] privacy-oriented person in typically confidential memos. Maybe a full accounting as to when the bug got there, how it got there, who put it there and the chances of it being purely human error are to be demanded? After all, some people (including myself) have invested some very expensive stakes in the security of GnuPG over the years.
HopeSeekr of xMule
Promote freedom; fight fascism.
So this is a simple mistake made by GPG, in an effort to coexist well with email and the like.
In other words, GPG looks at an email message and sees headers and the like. Of course, the headers were not signed (just the message), so GPG skips them and when it encounters the signed message, it begins to verify the signature.
So, if you are an attacker, you insert something before or after the signed message, and when GPG goes to verify it, the signed message passes, but GPG nicely prints out the whole message for you, instead of just the signed part. Oops, not a big deal, encryption isn't broken, in fact this is just an application bug.
Sound like a movie rating.
She thought she could get rid of me with that rejection via email. Now I've got reasonable doubt about her feelings. Until I get that court order, of course.
End transmission.
remember how many versions of OpenSSH we have? And why do you think new versions were released? And why should GPG be any different?
The parent AC is worng.
1.4.2-2 is not equal to 1.4.2.2, and it is older than 1.4.2.2
the -2 is the 2nd Debian modification of 1.4.2
Another good recommendation is to diversify your crypto. Sign/encrypt your data with multiple different crypto algorithms in the same message. It's like network redundancy: the odds of both methods failing at once are equal to the product of the low, but significant, probability of either failing. A single failure doesn't ever compromise your data, and buys time to get a new second method that works.
Of course, sent messages can't be recovered for reprotection with the new second method. And eventually the other original method will be compromised, so the attacker can use the appropriate methods for each. But at least you've improved your security. Probably more than the next guy. Next lesson: when the bear is chasing y'all, you don't have to be the fastest; just not the slowest.
--
make install -not war
no flaw in encoding or decoding..
The problem is in display. It displays the unencoded preamble and postscript inline with the (properly) verified parts of the email. You then, essentially, have to guess which is which.
OS Software is like love: The best way to make it grow is to give it away.
Don't you think they're smart enough to think that you would think they weren't that stupid?
rewriting history since 2109
GPG stands for Gnu Privacy Guard. It's the Free(tm) replacement for PGP (Pretty Good Privacy) which was originally developed by RSA. Between them, they are one of the standards for encryption and verification of sensitive data (including email).
As opposed to X509/SSL which seems to be designed for centralized trusted certificate issuers, GPG/PGP depend on a (decentralized) web of trust -- You decide which signatures you wish to trust, and then those signatures can be used to signify who they trust... If you have enough trust in the signature web for a public key you have for someone, then it is presumed that the key is trustable.
GPG seems to be supported by people who include some serious heavyweights in the encryption community.
IANASE (I am not a security expert), so any corrections to this explanation would be much appreciated)
OS Software is like love: The best way to make it grow is to give it away.
Actually, 1.4.2-2 is the second *Debian* release of 1.4.2, probably to fix packaging bugs or minor bugs in the software that weren't yet available in an upstream release. 1.4.2-2 != 1.4.2.2. Debian users still need to upgrade when a new package is available.
Xfce: Lighter than some, heavier than others. Just right.
I'm not even smart enough to understand what you just said.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
That information should never have been released! The negative press will impact sales. It would have been better to pretend the bug never existed.
Oh, it isn't corporate product, nevermind.
did anybody cross-check the authenticity of that warning? I wont accept that until I verify its GPG key :)
The bug allows someone to take a signed GPG message, stick in their own unsigned message in a certain way, and GPG will show you the combined message or even just the new message, but tell you that it is signed by the person who signed the original message.
If you read the message using the new GPG 1.4.2.2 it will correctly not accept the hacked message. So if you have any question about signed mail you received, you can check it again after upgrading GPG.
The bug only affects embedded signatures, such as in email messages using inline signatures or signed encrypted email. I think that excludes PGP/MIME signed unencrypted email, which is a common format for signed mail and would be a form of detached signature.
The bug does not affect "detached signatures", which are the kind that are used to verify software downloads, which means it could not have been used to hack yum, apt-get, etc.
All in all, not a big security flaw unless someone takes a signed email that you sent them, forges a GPG signed request to your domain registrar to transfer your million dollar domain name to them, and your registrar hasn't yet updated to GPG 1.4.2.2. Whoops -- if you upgrade GPG right now, it wouldn't help in that scenario.
Shouldn't this read Security Flaw Discovered for users of GPG ?
I'm guessing, but 95% of computing world doesn't use GPG. And isn't this a "Man In the Middle" attack? How many routers have been compromised that I need to worry about this?
Are my GPG encrypted messages to the kremlin, CIA, or FBI less secure? Are my "lovey-dovey, are you naked" messages to my wife compromised? Thats about all I use GPG for.
Enjoy.
It's just the normal noises in here.
I'm tired of their insecure crap! Oh wait, its GNU open source? In that case, you lazy bastard end users should have fixed it yourself!
"For instance, the use of double encryption does not provide the expected increase in security [MH81] when compared with the increased implementation requirements, and it cannot be recommended as a good alternative. Instead, triple-encryption is the point at which multiple encryption gives substantial improvements in security."
From http://www.x5.net/faqs/crypto/q85.html
Better assign a security Czar!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Does it make the e-mails less safe? No. First, the flaw is for adding material, not reading it. Second, it's for signing, not encryption per-se. It DOES mean that you cannot trust e-mail for commercially sensitive transactions, but nobody should be trusting e-mail for that anyway.
Does it affect routers or the infrastructure of the Internet? Only insofar as domain registrars never validate change requests properly. A carefully-crafted attack could use this to append a change-of-IP request to some ISP's routine request to a registrar, which means an attacker could create a phony DNS server for the express purpose of polluting the DNS namespace. If the registrar uses GPG's validation as proof of a legit request (and some are quite happy with a fax with no proof of origin at all) then it could have an impact.
Is this a likely scenario? No. The problem with lack of validation has been around for decades and has been used by cybersquatters and porn merchants, but never (as far as I know) for Black Hat activities. The lack of any significant effort has never been due to security. My best guess is that it's due to skript kiddies being clueless. Which is just as well. If demonstrable and simple exploits aren't being used to cause catastrophic levels of mayhem, then I think we're pretty safe against this somewhat more sophisticated vulnerability requiring (as you coorectly point out) a MitM attack.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...as it is already designed to tell you precisely what part of the e-mail is signed. Is there a more convenient way to handle GPG for e-mail than enigmail anyway?
Insert self-referential sig here.
Please note that when you update, your version number may not change. Depending on what OS you use and who you get your updates from, you might get an old version with back-ported fixes. If your version number is not the one mentioned here, you need to check with your OS vendor. Most will have a Web site listing security updates and what vulnerabilities they address.
This applies to a very specific case where a message is constructed by hand with multiple data packets and a single signature packet, so:
I say "might" as in all of these cases it depends on how GnuPG is called.