Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 30 Oct 2015 13:05:49 -0400 (EDT)
From: cve-assign@...re.org
To: g.hollestelle@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Openpgp.js Critical vulnerability in S2K

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> A vulnerability in the S2K function of OpenPGP.js allows to produce a
> predictable session key without knowing the passphrase.
> 
> An attacker is able to create a private PGP key that will decrypt in
> OpenPGP.js regardless of the passphrase given.
> 
> Also using this flaw it is possible to forge a symmetrically encrypted PGP
> message (Symmetric-Key Encrypted Session Key Packets (Tag 3)) that
> will decrypt with any passphrase in OpenPGP.js. This can be an attack
> vector if successful decryption of such a message is used as an
> authentication mechanism.
> 
> The bug is fixed with a strict check on unknown S2K types.
> 
> https://www.mail-archive.com/list@...npgpjs.org/msg00918.html
> https://github.com/openpgpjs/openpgpjs/commit/668a9bbe7033f3f475576209305eb57a54306d29

Nobody has commented on this, so we'll conclude that "successful
decryption of such a message is used as an authentication mechanism"
is a plausible use case, and assign a CVE ID: CVE-2015-8013.

As far as we know, the scenario might be something like:

  if a user symmetrically encrypts a message of "hello" with the
  hard-to-guess passphrase of secret0, then an automated process
  grants them access to uid 0

  if a user symmetrically encrypts a message of "hello" with the
  hard-to-guess passphrase of secret1, then an automated process
  grants them access to uid 1

  etc.

Although there is a communication channel from the user to the
automated process, there is no way for the user to send a helpful hint
about what passphrase should be tried. The automated process only
tries its own set of hard-coded passphrases. For this reason, it is a
vulnerability if a user is able to construct (intentionally) a
properly formatted message that seems to be encrypted in a useful
way, but actually isn't encrypted in a useful way.

This vulnerability (unlike the
https://github.com/openpgpjs/openpgpjs/wiki/Cure53-security-audit
vulnerabilities) is not yet referenced from the
https://github.com/openpgpjs/openpgpjs/blob/master/README.md page.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWM6LRAAoJEL54rhJi8gl5C70QANEfTQ+t7ws0lPSPa1qJ0h+0
a1EsXsyF28Og6mDQnZt4Y+Fd2L1WaXpdEzplf8Q7IZt/zPL0d7UOPG9A7js51M7N
mXfPAEZSUSHCpeSYEhwnoSGnsQpIhXBiyduKt/9MaCgSXux/30pqOOOU7TU1Xeo/
3ByWnZavS9YuKFQP3ChWyzh8wGuxMe9OmFkFBzjAwyb5gZ57AtpbZHqHXdBDGJiE
OHSMp5cbM/K7Jtr0wQCidkXsMyHrlKo1PV4HwoamFtdKxzmUrLUSSe3otnFWkBDt
cMc++xIjlk98SKZhkXGhEcrSWuqTKGZ0RG3t/28pnO4rc2N89IO4hGM8hmnoUdxr
S81pzyG1VyhWbXspvfM+Dk5JGZEWH2EgxccGHatT/jYSAg1CBYgZcS7rVCSiOCqp
TcwXGS1KY46GpTDSjj0muSazFF58x9I8PCXkPXbAv6rIBh0rwaB/OJs81LAderyk
YO93p9CiuyD/9ltTbyb3ym0/qeaiQhjupc28jbFm2PAh5f2zUm1fmUx8eGX5KY0T
1f8QpUq715VawQykfMLnFYoTHBf6Zt9K8RGWiEMMrZ4PdVjqYu0A/UfXzIuSlBgP
w2vVwDpqFbAc2OAfFRfiYln8gBzgWrqVeVeh1Dt+23YDmessYKZ2CtjISS+SaUzq
ntQ5dTRst2lyzmzSciSB
=RXDl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ