Researchers have identified a weakness in several encrypted mail applications, including GnuPG, Enigmail, and others, that lets a remote attacker spoof a signature on an encrypted message.
By exploiting this vulnerability, an attacker could create a message that appears to have a valid digital signature but isn’t signed at all. The bug is the result of an issue with the way that some tools handle signature verification under certain circumstances. The researcher who discovered the vulnerability said it affects GnuPG, Enigmail, and GPGTools, all of which have issued patches for the bug.
Encrypted email systems use digital signatures as a way to verify that a given message actually came from the sender. This vulnerability means that recipients using vulnerable versions of these tools can’t necessarily trust that the messages they’ve received are authentic. In all cases, a successful attack relies on the user having verbose mode enabled, an option that isn’t enabled by default.
“The attacker can inject arbitrary (fake) GnuPG status messages into the application parser to spoof signature verification and message decryption results. The attacker can control the key ids, algorithm specifiers, creation times and user ids, and does not need any of the private or public keys involved,” Marcus Brinkmann, the researcher who discovered the bug, wrote in an explanation of a possible attack scenario.
“The only limitation is that all status messages need to fit into 255 characters, which is the limit for the ‘name of the encrypted file’ in OpenPGP.”
“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure."
Brinkmann developed several proof-of-concept scenarios that he published in his advisory, some of which apply to Enigmail and some of which apply to GnuPG or GPGTools. He recommends that users check to make sure that they don’t have verbose mode enabled and upgrade to the fixed version of their app as soon as possible. One of the potential attacks on Enigmail can spoof both the signature and the encryption of the message itself.
“The attack is very powerful, and the message does not even need to be encrypted at all. A single literal data (aka “plaintext”) packet is a perfectly valid OpenPGP message, and already contains the “name of the encrypted file” used in the attack, even though there is no encryption. As a consequence, we can spoof the encryption as well,” Brinkmann said.
“But because we need to inject more status messages, we need to drop some information that is unused in the application to make more space for what is needed. We use a shorter version of VALIDSIG which is compatible with an older version of GnuPG that is still supported by Enigmail, and add just enough status messages to spoof an encrypted message for the signature.”
GnuPG is entrenched in a number of different applications and parts of the Internet’s inner workings, making this issue all the more problematic.
“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure. GnuPG is not only used for email security, but also to secure backups, software updates in distributions, and source code in version control systems like Git,” Brinkmann said in his advisory.