1. /
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - PGP Desktop Unsigned Data Insertion

SYM10-012

November 18, 2010

Revision History

none

Severity

Medium

Remote AccessYes
Local AccessYes
Authentication RequiredNo
Exploit publicly availableProof of Concept

Overview

PGP Desktop versions are vulnerable to a data insertion vulnerability. Unsigned (insecure) data could be inserted into OpenPGP messages signed by a trusted source. When the message is decrypted and verified, PGP Desktop may incorrectly identify the message as being fully valid.

Product(s) Affected

ProductVersionSolution
PGP Desktop for Windows and OS X10.0.3 and priorUpgrade to 10.0.3SP2
PGP Desktop for Windows and OS X10.1.0Upgrade to 10.1.0 SP1

Product(s) Not Affected

ProductVersion
PGP Command Line9.6 and greater

Details

Symantec was notified of a data insertion vulnerability identified in PGP Desktop versions. As defined in RFC 4880, OpenPGP messages are composed of "packets" of information. For example, an OpenPGP message may contain data, signatures, encrypted content, etc. Typically, messages are signed and encrypted, or perhaps just signed, or just encrypted. If a file is signed, there is assurance that it came from a known source (the signer), and was not tampered with.

A skilled attacker, who could successfully intercept an OpenPGP encrypted message from a sender and retransmit to the original recipient, could insert unsigned packets into the OpenPGP message containing signed data. In some circumstances, PGP Desktop will output both the signed and unsigned data, and verify the data as being signed, even though it contains unsigned data.

Alternately, the attacker could insert encrypted data into an OpenPGP message that contains signed and encrypted data. If done successfully, PGP Desktop will output both the encrypted data and the encrypted and signed data, and report that the signature was verified.

A malicious individual with physical access to stored OpenPGP messages can also perform this attack off-line, by inserting the unsigned data into the stored file contents.

The following matrix describes how PGP Desktop is vulnerable to these attacks, either by decrypting and verifying the data with PGP Desktop itself, or by right-clicking the OpenPGP message file and choosing to decrypt and verify.

 PGP Desktop for Windows
 Unsigned Data Alongside Signed DataEncrypted Data Alongside Encrypted+Signed Data
Decrypt/Verify File in PGP DesktopNot VulnerableNot Vulnerable
Decrypt/Verify File via Right-ClickVulnerableVulnerable


 PGP Desktop for OS X
 Unsigned Data Alongside Signed DataEncrypted Data Alongside Encrypted+Signed Data
Decrypt/Verify File in PGP DesktopNot VulnerableVulnerable
Decrypt/Verify File via Right-ClickNot VulnerableVulnerable


Note: Double-clicking an OpenPGP (.pgp) message file will cause the file to be opened for decryption and verification in PGP Desktop.

Symantec Response

PGP product engineers have developed and released a solution. Concerned PGP customers can download Service Pack updates for 10.0.3 and 10.1 by contacting PGP Customer Support.

Workaround:

Users of affected versions of PGP Desktop for Windows should open files for decryption and verification from within the PGP Desktop application, by selecting File->Open and browsing to the file name. Alternately, double-click the file icon to have it opened in PGP Desktop automatically.

Credit

Symantec thanks Eric Verheul, Digital Security group, Radbound University Nijmengen for identifying and reporting this issue.

References

Security Focus, http://www.securityfocus.com, has assigned a Bugtraq ID (BID) 44920 to this issue for inclusion in the Security Focus vulnerability database.

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org). The CVE initiative has assigned CVE-2010-3618 to this issue.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A member of the Symantec Product Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Copyright (c) by Symantec Corp.

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
* Signature names may have been updated to comply with an updated IPS Signature naming convention. See http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST for more information.
Last modified on: November 18, 2010
Security Response Blog
The State of Spam