CVE-2018-12020: SigSpoof PGP Bug Allows Hackers to Spoof Signatures

SigSpoof PGP bug image

The SigSpoof PGP Bug has been discovered to be a decade-old threat that allows hackers to spoof any user’s signatures and identity. This is a rare instance where a security issue has been available for many years and the vulnerability was discovered just now. PGP is one of the most widely used encryption tools, primarily used in email communications.

CVE-2018-12020: The Impact of SigSpoof PGP Bug

PGP is the most well known method for providing secure communications by using the public-private key method. However it appears that a decade-old vulnerability was contained in its core which was just discovered. Once the security community announced the SigSpoof PGP bug practically all major software utilities and services were swiftly updated.

The provided security advisory CVE-2018-12020 shows that the GnuPG package (which is the base for all major implementations) mishandles the original filenames during the decryption and verification actions. As a consequence remote attackers can spoof the output of the relevant operations. According to one of the experts that discovered the SigSpoof flaw (Marcus Brinkmann) wrote that the conseuqnces can be devastating. The GnuPG code is used in a variety of services including software updates in Linux distributions (for verifying the packages), backups, source code releases and more.

According to the CVE-2018-12020 advisory the SigSpoof PGP bug affects only the software that have enabled the verbose option. A security practice is to disable it by default however a number of online guides have been found to recommend it.

The bug works by hiding the metadata in a way that causes the utility applications to treat it as the result of a signature verification. As a result the email apps falsely show that the messages were signed by an identity chosen by the hackers. The (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Martin Beltov. Read the original post at: