Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug
Brinkmann files third signature spoof vulnerability in a month
Security researcher Marcus Brinkmann has turned up another vulnerability in the GnuPG cryptographic library, this time specific to the Simple Password Store.
Brinkmann explained that CVE-2018-12356 offers both access to passwords and possible remote code execution.
This bug is an incomplete regex in GnuPG's signature verification routine, meaning an attacker can spoof file signatures on configuration files and extension scripts (Brinkmann has dubbed the bug “SigSpoof 3” as the third signature spoofing bug he's found).
“Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution,” Brinkmann wrote in the advisory.
This looks like a relatively minor issue, but Brinkmann explained to The Register it could have far-reaching consequences.
GnuPG patched to thwart 'fake filename'READ MORE
“First, my primary concern the last three weeks has been and still is that there may be critical infrastructure in the free software community that does insufficient signature verification with GnuPG. I have made some progress notifying the community about this problem, but this is still an ongoing investigation, and there will be updates to SigSpoof [to take care of bugs like this one – El Reg] soon.”
While Brinkmann has complained about GnuPG disclosure processes in the past, he declined to comment further, telling The Register his focus is on notifying the community and fixing the code.
Explaining the bug at his NeoPG blog, Brinkmann wrote that it arose out of two weak design choices in GnuPG and Pass: “Pass matches the GnuPG status message
VALIDSIG (indicating a valid signature and corresponding key details) at any position within a line in the output; [and] GnuPG emits the primary user ID of a signing key at the end of a
GOODSIG status line, without escaping whitespace.”
(NeoPG is Brinkmann's “opinionated fork” of GnuPG 2, designed to “clean up the code and make it easier to develop”.)
One of those contributing to GnuPG fixes is Mauritian developer Logan Velvindron, part of the Hackers.mu team whose work on TLS 1.3 we've previously covered.
Velvindron told us it's hard to identify just how many downstream projects inherit a vulnerability like the one Brinkmann spotted, but the number of problem projects will likely be non-trivial because the GnuPG cryptographic suite has applications beyond e-mail protection.
“We're working with Marcus to push as many fixes as we can,” he said, listing projects such as Bitcoin, Litecoin, and the Dash shell as examples.
Brikmann's new bug is the third found in GnuPG in the last few weeks, so The Register asked Velvindron why such a cluster of bugs has been detected within such a short space of time.
Velvindron suggested “It's because everybody has been parsing GPG the same way, not thinking about questions like 'What are the issues with verbose output?', and 'What if this string is somewhere else?'”
As well as Logan, Hackers.mu participants in the GnuPG work include Codarren Velvindron, Nitin Mutkawoa, Rahul Golam, Muzaffar Auhammud, Kifah Meeran and Nigel Yong. ®