Security Flaw Discovered in GPG

WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."

Not a fundamental flaw.

[aprilsound]

From TFA:

The attack is to change a standard message to inject faked data (F). A simple case is this: F + O + D + S gpg now happily skips F for verification and does a proper signature verification of D and if this succeeds, prints a positive result. However when asked to output the actual signed data it will output the concatenation of F + D and thus create the impression that both are covered by the signature.

So this is a simple mistake made by GPG, in an effort to coexist well with email and the like.

In other words, GPG looks at an email message and sees headers and the like. Of course, the headers were not signed (just the message), so GPG skips them and when it encounters the signed message, it begins to verify the signature.

So, if you are an attacker, you insert something before or after the signed message, and when GPG goes to verify it, the signed message passes, but GPG nicely prints out the whole message for you, instead of just the signed part. Oops, not a big deal, encryption isn't broken, in fact this is just an application bug.

Re:Bug Intentionally Placed?

[Anonymous Coward]

After all, some people (including myself) have invested some very expensive stakes in the security of GnuPG over the years.

Ah ha. And how many times did you personally verify the source before you trusted it?

Security Flaw Discovered in GPG?

[NullProg]

Shouldn't this read Security Flaw Discovered for users of GPG ?

I'm guessing, but 95% of computing world doesn't use GPG. And isn't this a "Man In the Middle" attack? How many routers have been compromised that I need to worry about this?

Are my GPG encrypted messages to the kremlin, CIA, or FBI less secure? Are my "lovey-dovey, are you naked" messages to my wife compromised? Thats about all I use GPG for.

Enjoy.

Re:Bug Intentionally Placed?

[larry bagina]

I guess we should be thanking you for finding this problem. Since you did verify the source code doesn't contain any security holes. You did find the hole, right?

Re:Oh no!

[Anonymous Crowhead]

It's funny. Back in the day, when Slashdot was cool, almost everyone would know what GPG was. Most of the articles were like this one. Cool stuff about cool technology. Not politics (aside from GNU) and all the other crap like the "new mouse/keyboard techonolgy of the week" adverts that permeates Slashdot these days.

Re:Well...

[NullProg]

It is true that 95% of users don't use GPG, but I'd regard that as a flaw in and of itself. Mind you, most e-mail programs (including, IIRC, thunderbird) don't support GPG, although some do support a limited range of digital certificates.

I agree. But again, the way I read the alert, isn't this a "Man In the Middle" attack?

Does it affect routers or the infrastructure of the Internet? Only insofar as domain registrars never validate change requests properly. A carefully-crafted attack could use this to append a change-of-IP request to some ISP's routine request to a registrar, which means an attacker could create a phony DNS server for the express purpose of polluting the DNS namespace. If the registrar uses GPG's validation as proof of a legit request (and some are quite happy with a fax with no proof of origin at all) then it could have an impact.

If your able to effect routers on an ISP infrastructure then were not talking script kiddies. We all know DNS hijacking. To do what your talking about requires leet skillz. Maybe I could, you possibly could, but how many others? How secure is GPG against an amatuer?

BTW: my parent post is marked as Troll. Some idiot has moderator points.

Thanks for the response.
Enjoy.

Re:Not a fundamental flaw.

[linhux]

Sorry, but this like a big deal to me. The whole point of digital signatures is that you can know exactly what has been signed by the signer -- and be sure that nothing has been added and removed on the way. Consider this e-mail:

From: BOSS@CORPORATE.COM
To: MIDDLEMANAGER@CORPORATE.COM
Subject: Employee Burt Reynolds

That's a fine lad! Let's give him a raise!

-- Boss

GPG SIGNATURE VERIFIED: BOSS@CORPORATE.COM

Now, this message can be intercepted and a new part inserted before the actual message body, without the receiver being notified -- here I have marked the new part with bold text:

From: BOSS@CORPORATE.COM
To: MIDDLEMANAGER@CORPORATE.COM
Subject: Employee Burt Reynolds

Fire him immediately. He is a waste of space.

Employee Foo Bar, on the other hand. That's a fine lad! Let's give him a raise!

-- Boss

GPG SIGNATURE VERIFIED: BOSS@CORPORATE.COM

The message meaning has been completely altered, and GPG still verifies the signature. Feels like a big deal to me. But of course, I might have completely missed something.

Re:GPG is:

[Martin Blank]

Not as bad as an atom bomb, but classified along with, say, machineguns and antitank rockets. The software actually got out of the country legally by way of printing it in book format (which was not considered software at the time) and then scanning it in another country and using character recognition and a good deal of editing time to get it to compile properly.

This was also a primary catalyst for the argument of how strong exportable encryption should be, and which brought the encryption debate out into the public eye. Had he not done this, we might be a few years behind our current status, just having finished accepted the appropriateness of exporting heavy encryption.