Tag Archives: GnuPG

SigSpoof GnuPG flaw could be exploited to spoof message signatures

GnuPG 2.2.8 released earlier this month addresses the CVE-2018-12020 vulnerability, dubbed SigSpoof, affecting GnuPG, Enigmail, GPGTools, and python-gnupg.

GnuPG, also known as GPG, is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows users to encrypt and sign data and communications.

GnuPG version 2.2.8 released earlier this month addresses the CVE-2018-12020 vulnerability, dubbed SigSpoof, affecting GnuPG, Enigmail, GPGTools, and python-gnupg.

“The signature verification routine in Enigmail, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a ‘–status-fd 2’ option, which allows remote attackers to spoof arbitrary signatures via the embedded ‘filename’ parameter in OpenPGP literal data packets, if the user has the verbose option set in their gpg.conf file,” reads the blog post published by Marcus Brinkmann who discovered the SigSpoof flaw.

The expert noticed that even if the verbose is disabled by default, it is included in several recommended configurations for GnuPG.

Status messages are parsed by applications that get information from GPG about the validity of a signature.

“Status messages are created with the option “–status-fd N,” where N is a file descriptor. If N is 2, status messages and regular diagnostic messages share the stderr output channel.” explains GnuPG maintainer Werner Koch.

“The issue resides in the OpenPGP protocol allowing the inclusion of the file name of the original input file into a signed or encrypted message. The GnuPG tool can display a notice with that file name during decryption and verification, but it does not sanitize the file name, meaning that an attacker could include line feeds or other control characters in it.”

The lack of file name sanitization in GnuPG tool could be exploited by attackers to include line feeds or other control characters.s

An attacker can inject terminal control sequences and create fake status messages, it can also fake the verification status of a signed email.

“The attacker can inject arbitrary (fake) GnuPG status messages into the application parser to spoof signature verification and message decryption results. The attacker can control the key ids, algorithm specifiers, creation times and user ids, and does not need any of the private or public keys involved.” continues Brinkmann.

Brinkmann noticed that the limit for the file name of the encrypted file in OpenPGP is 255.

Brinkmann published a proof of concept to show to spoof signatures in both Enigmail and GPGTools, and a separate PoC to show how both the signature and encryption can be spoofed in Enigmail. The expert also demonstrated how to spoof a signature on the command line.

While disabled by default, verbose is included in several recommended configurations for GnuPG, and it is one of the main causes for this vulnerability.

To mitigate the issue, the researcher suggests to don’t include the verbose in gpg.conf and to avoid using gpg –verbose on the command line. Developers have to add –no-verbose option to all calls of the gpg.

Assessing the risks for critical infrastructure, the expert explained that the potential effect for this issue are severe.

“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure. GnuPG is not only used for email security, but also to secure backups, software updates in distributions, and source code in version control systems like Git,” Brinkmann concludes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SigSpoof, GnuPG)

[adrotate banner=”5″]

[adrotate banner=”13″]

Breaking 4096-bit RSA with an Acoustic Cryptanalysis attack

Israeli Security researchers explained how to break 4096-bit RSA analyzing CPU sound emitted during decryption (Acoustic Cryptanalysis attack).

Israeli Security Researchers at Tel Aviv University recently published an interesting paper titled “RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis” to explain how they have successfully broken 4096-bit RSA analyzing Computer’s CPU Sound emitted during execution of decryption routines.

The trio of scientists composed by Daniel Genkin, Eran Tromer and co-inventor of famous RSA Shamir have verified that results they first proposed a decade ago are valid, the researchers were able in fact to extract a 4096-bit RSA key from a laptop with an acoustic side-channel attack that enables the recording of noise coming from the device during decryption with using a smartphone placed nearby.

The results are exciting, attackers are able to discover a long RSA key in less than one hour with the method dubbed “acoustic cryptanalysis attack”.

“Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.” states the paper summary.

The paper explains that is realistic to perform a chosen-ciphertext attack on GnuPG, to do this the researchers exploited GnuPG automatic decryption ciphertexts chosen by the attacker using encrypted e-mail messages following the OpenPGP and PGP/MIME protocols. Common application including Thunderbird e-mail client plug-in automatically decrypts incoming e-mail using GnuPG.

The attack scenario it intriguing, a hacker can send a suitably-crafted email messages to the victims, wait until they decrypted once reached the target computer. The attackers recorded the acoustic signature of their decryption thereby closing the adaptive attack loop.

The scientists conducted several thousand repetitions of the algorithm’s operation discovering that there was sound leakage directly correlated to RSA key in use.

“The noise produced during decryption is The acoustic signal of interest is generated by vibration of electronic components (capacitors and coils) in the voltage regulation circuit, as it struggles to supply constant voltage to the CPU despite the large fluctuations in power consumption caused by different patterns of CPU operations.”

Be aware the signal analyzed by researchers doesn’t include noise generated by mechanical components such as the fan or hard disk, nor by the laptop’s internal speaker.

The security demonstrated that many other applications are susceptible to the same acoustic cryptanalysis attack.

“We observe that GnuPG’s RSA signing (or decryption) operations are readily identified by their acoustic frequency spectrum. Moreover, the spectrum is often key-dependent, so that secret keys can be distinguished by the sound made when they are used. The same applies to ElGamal decryption.”

The researchers observed that the acoustic attack range surpassed 4 meters using a sensitive parabolic microphone, meanwhile without this kind of receiver they achieved a range of 1 meter.

The vulnerability has been notified to GnuPG by the researchers , the three also recommended to protect users’s PC during decryption using sound dampening equipment, such as “sound-proof” boxes,

The attack is effective against a number of laptop models and information that is possible to leak depends on the specific hardware, experiments conducted  demonstrated that for every machine, it is possible to distinguish an idle CPU (x86 “HLT”) from a busy CPU and on many machines, it is possible to distinguish different patterns of CPU operations and different programs.

Resuming using GnuPG on some machines it is possible to:

  • distinguish between the acoustic signature of different RSA secret keys (signing or decryption), and
  • fully extract decryption keys, by measuring the sound the machine makes during decryption of chosen ciphertexts.

The attackers were able to implement an Acoustic Cryptanalysis attack using a mobile app running on a Smartphone located nearly the target machine, another possibility is using a malware specifically designed to exploit the device for the malicious purpose.

The developers of GnuPG have already developed a patch to fix the vulnerability exploited by the trio in the Acoustic Cryptanalysis attack, the fix is included in version 1.4.16 of GnuPG.

If you believe that the attack is limited to the proximity of the antenna to victim PC you are wrong, the researcher confirmed that it is possible to perform the attack from a greater distance using a parabolic microphone and it may also be conducted with a laser microphone or vibrometer.

It is not the first time that acoustic signals are used as a vector of information in an attack scenario, recently we discussed also the opportunity to transfer a malicious payload via audio signals. Security measures must also be designed to secure systems in these innovative attack schema.

Pierluigi Paganini

(Security Affairs –  Acoustic Cryptanalysis attack, hacking)