Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 30 Oct 2015 13:05:49 -0400 (EDT)
From: cve-assign@...re.org
To: g.hollestelle@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Openpgp.js Critical vulnerability in S2K

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> A vulnerability in the S2K function of OpenPGP.js allows to produce a
> predictable session key without knowing the passphrase.
> 
> An attacker is able to create a private PGP key that will decrypt in
> OpenPGP.js regardless of the passphrase given.
> 
> Also using this flaw it is possible to forge a symmetrically encrypted PGP
> message (Symmetric-Key Encrypted Session Key Packets (Tag 3)) that
> will decrypt with any passphrase in OpenPGP.js. This can be an attack
> vector if successful decryption of such a message is used as an
> authentication mechanism.
> 
> The bug is fixed with a strict check on unknown S2K types.
> 
> https://www.mail-archive.com/list@openpgpjs.org/msg00918.html
> https://github.com/openpgpjs/openpgpjs/commit/668a9bbe7033f3f475576209305eb57a54306d29

Nobody has commented on this, so we'll conclude that "successful
decryption of such a message is used as an authentication mechanism"
is a plausible use case, and assign a CVE ID: CVE-2015-8013.

As far as we know, the scenario might be something like:

  if a user symmetrically encrypts a message of "hello" with the
  hard-to-guess passphrase of secret0, then an automated process
  grants them access to uid 0

  if a user symmetrically encrypts a message of "hello" with the
  hard-to-guess passphrase of secret1, then an automated process
  grants them access to uid 1

  etc.

Although there is a communication channel from the user to the
automated process, there is no way for the user to send a helpful hint
about what passphrase should be tried. The automated process only
tries its own set of hard-coded passphrases. For this reason, it is a
vulnerability if a user is able to construct (intentionally) a
properly formatted message that seems to be encrypted in a useful
way, but actually isn't encrypted in a useful way.

This vulnerability (unlike the
https://github.com/openpgpjs/openpgpjs/wiki/Cure53-security-audit
vulnerabilities) is not yet referenced from the
https://github.com/openpgpjs/openpgpjs/blob/master/README.md page.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWM6LRAAoJEL54rhJi8gl5C70QANEfTQ+t7ws0lPSPa1qJ0h+0
a1EsXsyF28Og6mDQnZt4Y+Fd2L1WaXpdEzplf8Q7IZt/zPL0d7UOPG9A7js51M7N
mXfPAEZSUSHCpeSYEhwnoSGnsQpIhXBiyduKt/9MaCgSXux/30pqOOOU7TU1Xeo/
3ByWnZavS9YuKFQP3ChWyzh8wGuxMe9OmFkFBzjAwyb5gZ57AtpbZHqHXdBDGJiE
OHSMp5cbM/K7Jtr0wQCidkXsMyHrlKo1PV4HwoamFtdKxzmUrLUSSe3otnFWkBDt
cMc++xIjlk98SKZhkXGhEcrSWuqTKGZ0RG3t/28pnO4rc2N89IO4hGM8hmnoUdxr
S81pzyG1VyhWbXspvfM+Dk5JGZEWH2EgxccGHatT/jYSAg1CBYgZcS7rVCSiOCqp
TcwXGS1KY46GpTDSjj0muSazFF58x9I8PCXkPXbAv6rIBh0rwaB/OJs81LAderyk
YO93p9CiuyD/9ltTbyb3ym0/qeaiQhjupc28jbFm2PAh5f2zUm1fmUx8eGX5KY0T
1f8QpUq715VawQykfMLnFYoTHBf6Zt9K8RGWiEMMrZ4PdVjqYu0A/UfXzIuSlBgP
w2vVwDpqFbAc2OAfFRfiYln8gBzgWrqVeVeh1Dt+23YDmessYKZ2CtjISS+SaUzq
ntQ5dTRst2lyzmzSciSB
=RXDl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.