Executive Summary

Summary
Title PGP Desktop unsigned data injection vulnerability
Informations
Name VU#300785 First vendor Publication 2010-11-18
Vendor VU-CERT Last vendor Modification 2010-11-19
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#300785

PGP Desktop unsigned data injection vulnerability

Overview

PGP Desktop 10.0.3 and earlier versions as well as 10.1.0 are vulnerable to an unsigned data injection attack. PGP Command Line versions 9.6 and greater are not affected by this vulnerability.

I. Description

The PGP Desktop user interface incorrectly displays messages with unsigned data as signed. A user will not be able to distinguish the legitimate signed part from the malicious unsigned parts. Additional details may be found in PGP's KnowledgeBase article 2290, Symantec's Security Advisory SYM10-012, and Eric R. Verheul's Pretty Good Piggy-backing paper.

II. Impact

An attacker could add a message part (attachment) to a valid, signed PGP message and the entire message, including the attacker's message part, would be reported to the reader as having a valid signature.

III. Solution

Apply an Update

Users should upgrade to version 10.0.3 SP2 or 10.1.0 SP1.

PGP recommends the following workaround:

If you use PGP Desktop for Windows, do not use the Decrypt & Verify shortcut menu available when you right-click an OpenPGP message file. Instead, launch PGP Desktop, select File->Open, browse to the file name, and open the file. Alternately, double-click the file icon to have it opened in PGP Desktop automatically.

Vendor Information

VendorStatusDate NotifiedDate Updated
SymantecAffected2010-11-142010-11-18

References

http://www.cs.ru.nl/E.Verheul/papers/Govcert/Pretty%20Good%20Piggybagging%20v1.0.pdf
https://pgp.custhelp.com/app/answers/detail/a_id/2290
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101118_00

Credit

Thanks to Eric R. Verheul for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:2010-11-16
Date First Published:2010-11-18
Date Last Updated:2010-11-19
CERT Advisory: 
CVE-ID(s):CVE-2010-3618
NVD-ID(s):CVE-2010-3618
US-CERT Technical Alerts: 
Severity Metric:0.41
Document Revision:25

Original Source

Url : http://www.kb.cert.org/vuls/id/300785

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 5
Application 5

OpenVAS Exploits

Date Description
2010-12-09 Name : PGP Desktop Signed Data Spoofing Vulnerability
File : nvt/gb_pgp_desktop_data_spoofing_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
69379 PGP Desktop OpenPGP Message Verification Weakness

PGP Desktop contains a flaw that may allow an attacker to bypass certain security restrictions. This may allow an attacker to add their own message to the end of an otherwise legitimate OpenPgP multi-message packet, and have it be displayed as valid.