[ISN] Bug may expose encrypted e-mail

From: InfoSec News (alerts@private)
Date: Thu Mar 08 2007 - 01:09:42 PST


By Joris Evers
Staff Writer, CNET News.com
March 7, 2007

A problem related to a widely used open-source cryptography technology 
could let miscreants tamper with digitally signed and encrypted e-mails.

The problem lies in how certain e-mail applications display messages 
signed using the GNU Privacy Guard, also known as GnuPG and GPG, the 
GnuPG group said in a security alert Tuesday. It may not be possible to 
identify which part of a message is actually signed if GPG is not used 
correctly, it said.

"It is possible to insert additional text before or after a signed, or 
signed and encrypted, OpenPGP message and make the user believe that 
this additional text is also covered by the signature," according to the 

This poses a risk to those who use the cryptographic technology to 
authenticate or encrypt e-mail messages. A similar problem occurred last 
year with the GnuPG technology.

Several open-source e-mail clients are affected by this latest issue, 
according to security company Core Security Technologies, which 
discovered the issue. The list of affected applications includes KDE's 
KMail, Novell's Evolution, Sylpheed, Mutt and GnuMail.org, according to 
Core. Enigmail, an extension to the Mozilla mail clients, is also 
vulnerable, the security research company said.

"It is important to note that this is not a cryptographic problem. It 
affects how information is presented to the user and how third-party 
applications interact with GnuPG," Core said in an alert.

In addition to adding content to seemingly secure e-mails, attackers can 
exploit the problem to bypass content-filtering defenses such as 
antispam mechanisms, Core said.

GnuPG is a free replacement for the Pretty Good Privacy cryptographic 
technology. An e-mail that uses OpenPGP cryptography can be made up of 
multiple sections, not all of which need to be signed or encrypted. 
E-mail programs that do not correctly interpret the message could 
indicate that a message is fully secure when, in fact, it is not.

"You see the pretty icon telling you that the whole message is encrypted 
and signed, whereas there is a section of it--text, image, binary, 
whatever--which isn't," Arrigo Triulzi, a SANS Internet Storm Center 
staffer, wrote on the organization's blog.

The GnuPG group has issued updates to prevent tampering with signed or 
encrypted messages, but it notes that individual e-mail applications 
might need updating as well, to correctly display signed messages after 
applying the GPG update.

"After applying one of these patches, some vulnerable applications may 
fail to handle certain messages," the GnuPG alert states. "Fixing the 
application is required, as there is no way for GnuPG to do it."

Enigmail software has already been updated.

Core also published a work-around to help users detect and prevent 
exploitation. If a signed message looks suspicious, the validity of the 
signature can be verified by manually invoking GnuPG from the command 
line and adding the special option "--status-fd" to gain extra 
information, Core suggested.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 08 2007 - 01:25:34 PST