The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of PGP Desktop: incorrect validation of signature

Synthesis of the vulnerability 

An attacker can inject data in a valid OpenPGP message, in order to force PGP Desktop to recognize this data as signed.
Impacted software: PGP Desktop.
Severity of this computer vulnerability: 3/4.
Creation date: 19/11/2010.
Références of this announce: BID-44920, CERTA-2010-AVI-566, CVE-2010-3618, SYM10-012, VIGILANCE-VUL-10138, VU#300785.

Description of the vulnerability 

The RFC 4880 defines the format of OpenPGP messages. They are composed of data packets, which are signed and/or encrypted.

When an attacker captured an OpenPGP message between a sender and a receiver, he can:
 - insert an unsigned packet (if the message contains a signed packet)
 - insert an encrypted but unsigned packet (if the message contains an encrypted and signed packet)
In both cases, the PGP Desktop of the receiver displays two data packets, and indicates that they are both signed.

An attacker can therefore inject data in a valid OpenPGP message, in order to force PGP Desktop to recognize this data as signed.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security alert impacts software or systems such as PGP Desktop.

Our Vigil@nce team determined that the severity of this security weakness is important.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security announce.

Solutions for this threat 

PGP Desktop: version 10.1.0 SP1.
The version 10.1.0 SP1 is corrected:
  http://www.symantec.com/

PGP Desktop: version 10.0.3 SP2.
The version 10.0.3 SP2 is corrected:
  http://www.symantec.com/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides software vulnerability alerts. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.