[ISN] PGPsdk Key Validity Vulnerability

From: InfoSec News (isnat_private)
Date: Tue Sep 04 2001 - 23:16:47 PDT

  • Next message: InfoSec News: "RE: [ISN] Guard the Secrets, Then Catch the Spies"

    Forwarded from: "Jay D. Dyson" <jdysonat_private>
    Courtesy of Bugtraq.
    Follow-up per the previous report.
    - ---------- Forwarded message ----------
    Date: Tue, 4 Sep 2001 16:37:07 +0200
    From: Patrick Oonk <patrickat_private>
    To: bugtraqat_private
    Subject: PGPsdk Key Validity Vulnerability
    A vulnerability in PGP's display of key validity has been discovered
    that could allow an attacker to fool users into thinking that a valid
    signature was created by what is actually an invalid user ID. If the
    attacker can obtain a signature on their key from a trusted third party,
    they can then add a second user ID to their key which is unsigned. The
    attacker must then switch the unsigned false user ID to primary and
    convince the victim to place the key on their keyring. In such a case,
    some of the displays in PGP do not properly identify the false user ID
    as invalid because the second user ID is fully valid. Whenever PGP
    displays validity information on a per-user ID basis, the display is
    correct. Thus, attentive users who examine the user IDs of all public
    keys which they import to their keyrings will immediately notice this
    problem before it could have any impact.
    This issue was discovered and reported to Network Associates/PGP
    Security, Inc. by Sieuwert van Otterloo.
    This issue has been corrected such that all key validity displays in PGP
    will properly mark the unsigned user ID as invalid. Hotfixes are now
    available for the following products:
    * PGP Corporate Desktop v7.1 (MacOS9/Win32)
    * PGP Personal Security v7.0.3 (MacOS9/Win32)
    * PGP Freeware v7.0.3 (MacOS9/Win32)
    * PGP E-Business Server v7.1 (Linux/Solaris/AIX/HPUX/Win32)
    Product upgrades are available for the following products:
    * PGP E-Business Server v6.5.8x (OS/390)
    * PGP E-Business Server v7.0.4 (Linux/Solaris/AIX/HPUX/Win32)
    The hotfixes and upgrades can be found at:
    Network Associates/PGP Security Inc. has published the PGPsdk source
    code in electronic form for academic and cryptographic peer review. The
    source packages can be downloaded from:
    - -- 
     Patrick Oonk - PO1-6BONE - E: patrickat_private - www.pine.nl/~patrick
     Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonkat_private
     T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl
     PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
     Excuse of the day: disks spinning backwards - toggle the
     hemisphere jumper.
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    -----END PGP SIGNATURE-----
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 01:08:37 PDT