Notre sélection d'alertes et avis SSI.
Sources : US Cert, Cert EU, Cert FR, Cnil, VulDB.

vendredi 15 juin 2018

Signature Spoofing Vulnerability in GnuPG (CERT-EU Security Advisory 2018-016)

On 13th of June 2018, Marcus Brinkmann released technical details concerning a vulnerability impacting GnuPG and most applications based on GnuPG (Enigmail, GPGtools, python-gnupg, etc.) [1]. This vulnerability can be exploited by a remote attacker to spoof signatures in encrypted messages. Security researchers named those vulnerabilities SigSpoof. To exploit the vulnerabilities, the verbose option needs to be enabled (via configuration file or via command line parameter). A successful exploitation of the vulnerability allows the attacker to spoof signature verification and message decryption results. Concerning Enigmail, exploitation of the vulnerability does not even need the message to be encrypted (encryption is spoofed as well).

Lien vers l'article source

Auteur: Cert EU

Catégories: CertEUNombre de vues: 227


Événements SSI