A severe vulnerability in GnuPG has been discovered by a security researcher Marcus Brinkmann. GnuPG is used in multiple email encryption software tools to encrypt and digitally sign messages.
The vulnerability (CVE-2018-12020), dubbed “SigSpoof” could have allowed digital spoofing for years.
Multiple email products are impacted to include GnuPG, Enigmail, GPGTools and python-gnupg.
“The attacker can inject arbitrary (fake) GnuPG status messages into the application parser to spoof signature verification and message decryption results. The attacker can control the key ids, algorithm specifiers, creation times and user ids, and does not need any of the private or public keys involved,” Brinkmann stated in the blog post.
Recommendations for users to address the vulnerability include:
- Don’t have verbose in gpg.conf.
- Do not use gpg –verbose on the command line.
- Upgrade to GnuPG 2.2.8 or GnuPG 1.4.23.
- Upgrade to Enigmail 2.0.7.
- Upgrade to GPGTools 2018.3.
Developers should also upgrade python-gnupg version to 0.4.3 and add “–no-verbose to all invocations of gpg.”