A failure affecting GnuPG has made some of the most commonly used e-mail encryption programs vulnerable to digital signature falsification. The list of affected programs includes Enigmail and GPGTools.
About Vulnerability (CVE-2018-12020)
The vulnerability CVE-2018-12020, nicknamed SigSpoof by Marcus Brinkmann, the investigator who found it, emerged from “weak design choices.” According to the information security specialist, the signature verification routine in Enigmail 18.104.22.168, GPGTools 2018.2 and Python-gnupg 0.4.2 allows remote attackers to falsify signatures through the “filename” parameter.
“The attacker can control key identifiers, algorithm specifiers, creation times, and user IDs, and does not need any of the private or public keys involved,” adds Brinkmann.
The information security investigator shared several samples of the various possible attacks, such as impersonation of signature, impersonation of signature and encryption, and impersonation of signature on the command line.
In collaboration with another hacker, he also found the vulnerability CVE-2018-12019 that allows for a similar attack (spoofing of signatures) but specifically aimed at Enigmail.
Error CVE-2018-12020 is found in the versions of GnuPG 0.2.2 to 2.2.7, in Enigmail 22.214.171.124 and earlier, in GPGTools 2018.2 and earlier, and in Python-GnuPG 0.4.2 and earlier.
All of these packages have already been updated, so if you are using any of them, be sure to upgrade to the latest available version.
Any software could be potentially affected. If you use GnuPG in your application, you must verify that it is not affected, and consider some additional information security measures, say specialists from the International Institute of Cyber Security.
Brinkman is concerned that the vulnerability has potential to affect a large part of the central infrastructure, since in addition to being used for email & information security, GnuPG is also used to protect backups, software updates and source code in control systems.