Date: Fri, 30 Oct 2015 13:05:49 -0400 (EDT) From: cve-assign@...re.org To: g.hollestelle@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: Openpgp.js Critical vulnerability in S2K -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > A vulnerability in the S2K function of OpenPGP.js allows to produce a > predictable session key without knowing the passphrase. > > An attacker is able to create a private PGP key that will decrypt in > OpenPGP.js regardless of the passphrase given. > > Also using this flaw it is possible to forge a symmetrically encrypted PGP > message (Symmetric-Key Encrypted Session Key Packets (Tag 3)) that > will decrypt with any passphrase in OpenPGP.js. This can be an attack > vector if successful decryption of such a message is used as an > authentication mechanism. > > The bug is fixed with a strict check on unknown S2K types. > > https://www.mail-archive.com/list@...npgpjs.org/msg00918.html > https://github.com/openpgpjs/openpgpjs/commit/668a9bbe7033f3f475576209305eb57a54306d29 Nobody has commented on this, so we'll conclude that "successful decryption of such a message is used as an authentication mechanism" is a plausible use case, and assign a CVE ID: CVE-2015-8013. As far as we know, the scenario might be something like: if a user symmetrically encrypts a message of "hello" with the hard-to-guess passphrase of secret0, then an automated process grants them access to uid 0 if a user symmetrically encrypts a message of "hello" with the hard-to-guess passphrase of secret1, then an automated process grants them access to uid 1 etc. Although there is a communication channel from the user to the automated process, there is no way for the user to send a helpful hint about what passphrase should be tried. The automated process only tries its own set of hard-coded passphrases. For this reason, it is a vulnerability if a user is able to construct (intentionally) a properly formatted message that seems to be encrypted in a useful way, but actually isn't encrypted in a useful way. This vulnerability (unlike the https://github.com/openpgpjs/openpgpjs/wiki/Cure53-security-audit vulnerabilities) is not yet referenced from the https://github.com/openpgpjs/openpgpjs/blob/master/README.md page. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWM6LRAAoJEL54rhJi8gl5C70QANEfTQ+t7ws0lPSPa1qJ0h+0 a1EsXsyF28Og6mDQnZt4Y+Fd2L1WaXpdEzplf8Q7IZt/zPL0d7UOPG9A7js51M7N mXfPAEZSUSHCpeSYEhwnoSGnsQpIhXBiyduKt/9MaCgSXux/30pqOOOU7TU1Xeo/ 3ByWnZavS9YuKFQP3ChWyzh8wGuxMe9OmFkFBzjAwyb5gZ57AtpbZHqHXdBDGJiE OHSMp5cbM/K7Jtr0wQCidkXsMyHrlKo1PV4HwoamFtdKxzmUrLUSSe3otnFWkBDt cMc++xIjlk98SKZhkXGhEcrSWuqTKGZ0RG3t/28pnO4rc2N89IO4hGM8hmnoUdxr S81pzyG1VyhWbXspvfM+Dk5JGZEWH2EgxccGHatT/jYSAg1CBYgZcS7rVCSiOCqp TcwXGS1KY46GpTDSjj0muSazFF58x9I8PCXkPXbAv6rIBh0rwaB/OJs81LAderyk YO93p9CiuyD/9ltTbyb3ym0/qeaiQhjupc28jbFm2PAh5f2zUm1fmUx8eGX5KY0T 1f8QpUq715VawQykfMLnFYoTHBf6Zt9K8RGWiEMMrZ4PdVjqYu0A/UfXzIuSlBgP w2vVwDpqFbAc2OAfFRfiYln8gBzgWrqVeVeh1Dt+23YDmessYKZ2CtjISS+SaUzq ntQ5dTRst2lyzmzSciSB =RXDl -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ