39C3: Multiple vulnerabilities in GnuPG and other cryptographic tools
Security researchers have found various security-relevant errors in GnuPG and similar programs. Many of the vulnerabilities are (still) not fixed.
(Image: Anna Gundler / heise medien)
At the 39th Chaos Communication Congress, security researchers Lexi Groves, aka 49016, and Liam Wachter demonstrated a whole series of vulnerabilities in various tools for encrypting and signing data. In total, the researchers found 14 vulnerabilities in four different programs. All discovered problems are implementation errors, meaning they do not affect the fundamental security of the methods used, but rather their concrete – and indeed flawed – implementation in the respective tool.
The focus of the presentation was the popular PGP implementation GnuPG, whose code is generally considered to be well-established. Nevertheless, the security researchers found numerous vulnerabilities, including typical errors when processing C strings through injected null bytes. This allowed, among other things, signatures to be falsely displayed as valid, or it was possible to prepend text to signed data that was neither captured nor exposed as a modification by the signature.
The issues found in GnuPG cover a broad spectrum of causes: attackers could exploit clearly erroneous code, provoke misleading output that tempts users into fatal actions. Furthermore, they could inject ANSI sequences that, while correctly processed by GnuPG, lead to virtually arbitrary output in the victim's terminal. The latter can be exploited to give users malicious instructions that only appear to come from GnuPG, or to overwrite legitimate security queries from GnuPG with harmless follow-up questions, causing users to unintentionally approve dangerous actions.
The security researchers also found some discovered problem types in other tools, such as the newer PGP implementation Sequoia-PGP or the signature tool Minisign. In the encryption tool age, they discovered a way to execute any programs present on the victim's computer via the plug-in system. The researchers provide a comprehensive overview of all found issues on the website gpg.fail.
Videos by heise
Many vulnerabilities still open
Some vulnerabilities found have been fixed in the current versions of the affected programs, but this is not the case for many. Partly because patches have been adopted but no new version with them has been released yet, but partly also because the program authors do not see a problem to be corrected in their tool.
The researchers particularly praised the reaction to the vulnerability in age: Not only was the error fixed in the various age implementations, but the specification was also updated to prevent the problem. Directly at the hacker congress, age developer Filippo Valsorda even went a step further: He was in the audience of the presentation and used the mandatory Q&A session at the end to thank the researchers for their work. He also presented them with an improvised bug bounty in the form of stickers and pins.
The researchers also provide advice on their website on how to avoid the found errors – from both developer and user perspectives. In general, users should also perceive seemingly harmless error messages as serious warnings and avoid cleartext signatures – as recommended by the GnuPG man page. The researchers also suggest rethinking the use of cryptography tools on the command line in general: due to the mentioned ANSI sequences, users can be misled, even if all tools work without errors.
(vza)
