Advisory: PGP 7.0 signature verification vulnerability

[Michael Kjorling <michael () KJORLING COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Product: Pretty Good Privacy
Severity: Medium to high
Impact: Users with write access to signed exported key blocks may
replace them with arbitrary keys without any warning being issued
upon import of those keys
Local: Yes
Remote: No (though man-in-the-middle attacks is a possibility)
Vendor status: Network Associates was contacted December 20; see
below

Confirmed vulnerable: PGP for Desktop Security, version 7.0.0.0 build
242, on Windows 2000
Suspected vulnerable: All versions of PGP 7.0
Confirmed not vulnerable: none


Disclaimer:

This information is provided "as is", with no warranties of any kind,
either expressed or implied. It was discovered through trial and
error; the source code has not been examined as it has been out of my
reach. I take no responsibility for how the information contained
within this advisory is utilized.


Description:

There seems to be a vulnerability in the key import code in PGP 7.0
on the Win32/Intel platform, causing a signature on a full exported
and ASCII armored key block not to be checked when "Decrypt/Verify"
is selected to import the key(s). This means that any signatures on
the full exported key block is not checked, opening the possibility
for anyone who have write access to the file to replace the keys
without having to generate a new signature. Key signature
verification, however, is not affected by this vulnerability.


Exploit:

Given the possibility to write to the PGP signed file containing the
exported key(s), replace the keys without altering the signature. PGP
will not warn the user upon import of the keys that the signature has
become invalid. Man-in-the-middle attacks are also a possibility,
given an eavesdropper listening on the communications channel and
replacing the key material as it flows through the wires.


Workaround:

There is no known workaround, besides always verifying fingerprints
with the owner of the key as well as not trusting keys that have no
or just a few signatures.


Vendor status:

Network Associates was contacted by email to <pgpsupport () nai com> as
per instructions from their support department on December 20th,
2000, and they were advised that an advisory would be posted to
Bugtraq on Jan 8. The email was encrypted with their "Software
Release Key" which was the key I was pointed to when asking to whom I
should encrypt the email, but I still have not heard back from them.



Michael Kjörling
michael () kjorling com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
Comment: All computers wait at the same speed.

iQA/AwUBOlnVfSqje/2KcOM+EQLUgACePUxBaAKla2jBZzdquOeba3nESYYAoNdt
0vzBXN6YIZ1V50EboF4maM3/
=hJXy
-----END PGP SIGNATURE-----