The SigSpoof PGP Bug has been discovered to be a decade-old threat that allows hackers to spoof any user’s signatures and identity. This is a rare instance where a security issue has been available for many years and the vulnerability was discovered just now. PGP is one of the most widely used encryption tools, primarily used in email communications.
CVE-2018-12020: The Impact of SigSpoof PGP Bug
PGP is the most well known method for providing secure communications by using the public-private key method. However it appears that a decade-old vulnerability was contained in its core which was just discovered. Once the security community announced the SigSpoof PGP bug practically all major software utilities and services were swiftly updated.
The provided security advisory CVE-2018-12020 shows that the GnuPG package (which is the base for all major implementations) mishandles the original filenames during the decryption and verification actions. As a consequence remote attackers can spoof the output of the relevant operations. According to one of the experts that discovered the SigSpoof flaw (Marcus Brinkmann) wrote that the conseuqnces can be devastating. The GnuPG code is used in a variety of services including software updates in Linux distributions (for verifying the packages), backups, source code releases and more.
According to the CVE-2018-12020 advisory the SigSpoof PGP bug affects only the software that have enabled the verbose option. A security practice is to disable it by default however a number of online guides have been found to recommend it.
The bug works by hiding the metadata in a way that causes the utility applications to treat it as the result of a signature verification. As a result the email apps falsely show that the messages were signed by an identity chosen by the hackers. The required parameters to execute the spoof are only a public key or the key ID.
On a related note on two separate occasions additional bugs associated with client software shows that hackers could have taken advantage of the issue. The first occasion shows that the criminals can spoof the signatures when the verbose mode isn’t enabled. The other identified bug even allows the execution of malicious code in addition to the spoofing operations.
All users that are running implementations of OpenPGP and related code should check with their vendors to see if they have patched the vulnerability.