PGP Desktop service fails to validate user supplied data

ID VU:102465
Type cert
Reporter CERT
Modified 2007-02-12T00:00:00



PGP Desktop fails to properly validate objects passed into the PGP Desktop service. This vulnerability may allow a remote, authenticated attacker to execute arbitrary code.


PGP Desktop versions prior to 9.5.1 fail to properly validate objects passed into the PGP Desktop service (PGPServ.exe/PGPsdkServ.exe). This service is installed by PGP Desktop to transport objects and data between the PGP clients and the PGP Desktop service. The PGP Desktop service fails to properly validate user-supplied data. This may allow a remote, authenticated attacker to overwrite arbitrary memory.


A remote, authenticated attacker may be able to execute arbitrary code, possibly with elevated privileges.



PGP has addressed this issue in PGP version 9.5.1 and above.


PGP has provided the following workarounds:

1. Turn off Windows Filesharing. This is the definitive way to eliminate the problem since disabling Windows Filesharing would prevent the attack.
2. Use a third-party Personal Firewall, or the built-in Windows XP SP2 Firewall. Block foreign connections to your RPC/Filesharing services.

Systems Affected

Vendor| Status| Date Notified| Date Updated
PGP Corporation| | -| 31 Jan 2007
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • <>
  • <>
  • <>
  • <>


This vulnerability was reported by Peter Winter-Smith of NGSSoftware.

This document was written by Katie Steiner.

Other Information

  • CVE IDs: CVE-2007-0603
  • Date Public: 25 Jan 2007
  • Date First Published: 31 Jan 2007
  • Date Last Updated: 12 Feb 2007
  • Severity Metric: 4.04
  • Document Revision: 23