Vulnerability Note VU#300785

PGP Desktop unsigned data injection vulnerability

Original Release date: 18 Nov 2010 | Last revised: 19 Nov 2010

Overview

PGP Desktop 10.0.3 and earlier versions as well as 10.1.0 are vulnerable to an unsigned data injection attack. PGP Command Line versions 9.6 and greater are not affected by this vulnerability.

Description

The PGP Desktop user interface incorrectly displays messages with unsigned data as signed. A user will not be able to distinguish the legitimate signed part from the malicious unsigned parts. Additional details may be found in PGP's KnowledgeBase article 2290, Symantec's Security Advisory SYM10-012, and Eric R. Verheul's Pretty Good Piggy-backing paper.

Impact

An attacker could add a message part (attachment) to a valid, signed PGP message and the entire message, including the attacker's message part, would be reported to the reader as having a valid signature.

Solution

Apply an Update

Users should upgrade to version 10.0.3 SP2 or 10.1.0 SP1.

PGP recommends the following workaround:


If you use PGP Desktop for Windows, do not use the Decrypt & Verify shortcut menu available when you right-click an OpenPGP message file. Instead, launch PGP Desktop, select File->Open, browse to the file name, and open the file. Alternately, double-click the file icon to have it opened in PGP Desktop automatically.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SymantecAffected14 Nov 201018 Nov 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Eric R. Verheul for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2010-3618
  • Date Public: 16 Nov 2010
  • Date First Published: 18 Nov 2010
  • Date Last Updated: 19 Nov 2010
  • Severity Metric: 0.41
  • Document Revision: 25

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.