"Piggy-Back" Vulnerability in PGP Desktop

book

Article ID: 153728

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction


PGP Desktop versions 10.0.3 and earlier, as well as the upcoming 10.1 release, are vulnerable to a "piggy-back" attack. In this attack, unsigned (insecure) data can be inserted into OpenPGP messages signed by a trusted source. When the message is decrypted and verified, PGP Desktop may incorrectly identify the message as being fully valid.

PGP Command Line versions 9.6 and greater are not affected by this vulnerability.

Resolution


As defined in RFC 4880, OpenPGP messages are composed of "packets" of information. For example, an OpenPGP message may contain data, signatures, encrypted content, etc. Typically, messages are signed and encrypted, or perhaps just signed, or just encrypted. If a file is signed, there is assurance that it came from a known source (the signer), and was not tampered with.

A skilled attacker, however, can insert unsigned packets into an OpenPGP message that contains signed data. In some circumstances, PGP Desktop will output both the signed and unsigned data, and verify the data as being signed, even though it contains unsigned data. Alternately, an attacker can insert encrypted data into an OpenPGP message that contains signed and encrypted data. PGP Desktop will output both the encrypted data and the encrypted and signed data, and report that the signature was verified. The below matrix describes how PGP Desktop is vulnerable to these attacks, either by decrypting and verifying the data with PGP Desktop itself, or by right-clicking the OpenPGP message file and choosing to decrypt and verify.

PGP Desktop for Windows
 

Unsigned Data Alongside Signed Data

Encrypted Data Alongside Encrypted+Signed Data

Decrypt/Verify File
in PGP Desktop
 

 Not Vulnerable

 Not Vulnerable

 Decrypt/Verify File
via Right-Click

 Vulnerable

 Vulnerable

PGP Desktop for Mac
 

Unsigned Data Alongside Signed Data

Encrypted Data Alongside Encrypted+Signed Data

Decrypt/Verify File
in PGP Desktop
 

 Not Vulnerable

 Not Vulnerable

 Decrypt/Verify File
via Right-Click

 Vulnerable

 Vulnerable


Note that double-clicking an OpenPGP (.pgp) message file will cause the file to be opened for decryption and verification in PGP Desktop.

Remediation

If you use PGP Desktop for Windows, do not use the Decrypt & Verify shortcut menu available when you right-click an OpenPGP message file. Instead, launch PGP Desktop, select File->Open, browse to the file name, and open the file. Alternately, double-click the file icon to have it opened in PGP Desktop automatically.

Concerned customers are encouraged to upgrade to version 10.0.3 SP2, which is now available by contacting PGP Technical Support, or 10.1.0 SP1 when it is released.

Acknowledgement

PGP Corporation would like to thank security researcher Eric Verheul, Digital Security group, Radbound University Nijmengen for alerting us to this issue