CERTVU:566640pgp4pine fails to properly check for expired public keys
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
56.6%
Overview
The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package.
Description
The program pgp4pine provides an interface for various PGP implementations to the PINE mail reading package. Version 1.75.6 of pgp4pine does not check to see if public keys are expired when loading keys from the GnuPG openPGP implementation. When a user specifies an expired public key in their key ring and attempts to encrypt a message with that expired public key, pgp4pine will not check to see if the key is expired. Instead, pgp4pine will issue a command to GnuPG to encrypt the email message with the expired key. The encryption will not be successful and GnuPG will return an error message indicating that the key is invalid. pgp4pine does not detect the error message, and does not notify the user that an error has occurred. The clear text is then returned to the program flow control of PINE. PINE will then transmit the message in clear text.
For more information, see the advisory provided by CryptNET.
Impact
Sensitive materials may be transmitted over the network in clear text, without the intention or knowledge of the sender.
Solution
No vender patch is known to exist. However, a patch is provided by CryptNET.
Validate all keys on your keyring at regular intervals. Remove expired keys.
Vendor Information
566640
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Holger Lamm __ Affected
Notified: June 25, 2001 Updated: July 12, 2001
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Although we have not been able to confirm this vulnerability with the author, we believe pgp4pine is indeed vulnerable as described in the CryptNET advsiory.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23566640 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.cryptnet.net/fcp/audit/pgp4pine/01.html>
- <http://www.securityfocus.com/bid/2405>
- <http://xforce.iss.net/static/6135.php>
- <http://devrandom.net/lists/archives/2001/2/Bugtraq/0383.html>
- <http://security-archive.merton.ox.ac.uk/bugtraq-200102/0389.html>
- <http://pgp4pine.flatline.de/>
Acknowledgements
Our thanks to CryptNET, who published an advisory on this problem, available at http://www.cryptnet.net/fcp/audit/pgp4pine/01.html
This document was written by Jason Rafail.
Other Information
| CVE IDs: | CVE-2001-0273 |
|---|---|
| Severity Metric: | 0.68 Date Public: |
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
56.6%