Several popular email encryption tools have been found to be vulnerable to spoofed signature attacks for decades, according to an advisory post published by Marcus Brinkmann, lead developer of NeoPG, on Wednesday.
The critical vulnerability—called SigSpoof, and indexed as CVE-2018-12020—was found in GnuPG, Enigmail, GPGTools, and python-gnupg, Brinkmann found. The root cause goes all the way back to GnuPG 0.2.2 in 1998, he told Ars Technica.
Digital signatures are used to verify the source of an encrypted message, data backup, or software update, Ars Technica noted. The source typically uses a private encryption key to make the application show that a message or file is signed. However, SignSpoof made it possible for attackers to fake signatures with only a person’s public key or key ID, which are often published online. Worse, users can’t tell if the spoofed email is malicious without complicated forensic analysis, so it’s likely that they’d never know, Brinkmann wrote in the advisory.
SEE: Encryption policy (Tech Pro Research)
Essentially, this means that decades of email messages used for sensitive business, government, or security matters may have been spoofs, Ars Technica noted. But, it goes further than that, affecting the daily operations of IT and developers as well.
“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure,” Brinkmann wrote in the advisory. “GnuPG is not only used for email security but also to secure backups, software updates in distributions, and source code in version control systems like Git.”
SigSpoof only affects vulnerable software when it enables a setting called “verbose,” which is used to troubleshoot bugs, Ars Technica said. While none of the vulnerable programs enable this by default, a number of recommended configurations available online will turn it on, opening the program to the attack.
The bugs have since been patched in updates to GnuPG, Enigmail, GPGTools, and python-gnupg. Enigmail and the Simple Password Store have also gotten patches for two related spoofing bugs, according to the advisory.
To protect yourself, users should do the following, according to Brinkmann:
- Make sure you don’t have verbose in gpg.conf.
- Do not use gpg —verbose on the command line.
- Upgrade to GnuPG 2.2.8 or GnuPG 1.4.23
- Upgrade to Enigmail 2.0.7
- Upgrade to GPGTools 2018.3
Meanwhile, developers should add “—no-verbose” to all invocations of gpg, and upgrade to python-gnupg 0.4.3, Brinkmann advised in the post.
The big takeaways for tech leaders:
- A decades-old flaw called SigSpoof was found in popular email encryption tools, leaving them vulnerable to spoofed signature attacks.
- Users should update GnuPG, Enigmail, GPGTools, and python-gnupg to patch the bug.