Overview
PGP Desktop fails to properly validate objects passed into the PGP Desktop service. This vulnerability may allow a remote, authenticated attacker to execute arbitrary code.
Description
PGP Desktop versions prior to 9.5.1 fail to properly validate objects passed into the PGP Desktop service (PGPServ.exe/PGPsdkServ.exe). This service is installed by PGP Desktop to transport objects and data between the PGP clients and the PGP Desktop service. The PGP Desktop service fails to properly validate user-supplied data. This may allow a remote, authenticated attacker to overwrite arbitrary memory. |
Impact
A remote, authenticated attacker may be able to execute arbitrary code, possibly with elevated privileges. |
Solution
Upgrade PGP has addressed this issue in PGP version 9.5.1 and above. |
Workarounds
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/std_adp.php?p_faqid=703
- http://secunia.com/advisories/23938/
- http://www.ngssoftware.com/advisories/medium-risk-vulnerability-in-pgp-desktop/
- http://www.itnews.com.au/newsstory.aspx?CIaNID=44982&src=site-marq
- http://www.vnunet.com/vnunet/news/2173564/flaw-found-pgp-encryption
Acknowledgements
This vulnerability was reported by Peter Winter-Smith of NGSSoftware.
This document was written by Katie Steiner.
Other Information
| CVE IDs: | CVE-2007-0603 |
| Severity Metric: | 4.04 |
| Date Public: | 2007-01-25 |
| Date First Published: | 2007-01-31 |
| Date Last Updated: | 2007-02-12 09:15 UTC |
| Document Revision: | 25 |