CERTVU:300785PGP Desktop unsigned data injection vulnerability
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.014 Low
EPSS
Percentile
86.6%
Overview
PGP Desktop 10.0.3 and earlier versions as well as 10.1.0 are vulnerable to an unsigned data injection attack. PGP Command Line versions 9.6 and greater are not affected by this vulnerability.
Description
The PGP Desktop user interface incorrectly displays messages with unsigned data as signed. A user will not be able to distinguish the legitimate signed part from the malicious unsigned parts. Additional details may be found in PGP’s KnowledgeBase article 2290, Symantec’s Security Advisory SYM10-012, and Eric R. Verheul’s Pretty Good Piggy-backing paper.
Impact
An attacker could add a message part (attachment) to a valid, signed PGP message and the entire message, including the attacker’s message part, would be reported to the reader as having a valid signature.
Solution
Apply an Update
Users should upgrade to version 10.0.3 SP2 or 10.1.0 SP1.
PGP recommends the following workaround:
If you use PGP Desktop for Windows, do not use the Decrypt & Verify shortcut menu available when you right-click an OpenPGP message file. Instead, launch PGP Desktop, select File->Open, browse to the file name, and open the file. Alternately, double-click the file icon to have it opened in PGP Desktop automatically.
Vendor Information
300785
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Symantec __ Affected
Notified: November 15, 2010 Updated: November 18, 2010
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Concerned customers are encouraged to upgrade to version 10.0.3 SP2, which is now available by contacting PGP Technical Support, or 10.1.0 SP1 when it is released.
Vendor References
- <https://pgp.custhelp.com/app/answers/detail/a_id/2290>
- http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101118_00
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:–/AC:–/Au:–/C:–/I:–/A:– |
| Temporal | 0 | E:ND/RL:ND/RC:ND |
| Environmental | 0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- <http://www.cs.ru.nl/E.Verheul/papers/Govcert/Pretty Good Piggybagging v1.0.pdf>
- <https://pgp.custhelp.com/app/answers/detail/a_id/2290>
- http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101118_00
Acknowledgements
Thanks to Eric R. Verheul for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2010-3618 |
|---|---|
| Severity Metric: | 0.41 Date Public: |
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.014 Low
EPSS
Percentile
86.6%