SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   PGP Vendors:   Network Associates
PGP May Fail to Warn of Invalid Signatures in Certain Situations
SecurityTracker Alert ID:  1002318
SecurityTracker URL:  http://securitytracker.com/id/1002318
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 4 2001
Impact:   Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Corporate Desktop v7.1 (MacOS9/Win32), Personal Security v7.0.3 (MacOS9/Win32), Freeware v7.0.3 (MacOS9/Win32), E-Business Server
Description:   Network Associates reported a vulnerability in their PGP encryption software that could allow a remote user to convince a recipient that the signature is valid when it is not in certain situations.

The vulnerability is reportedly due to the method that PGP uses to display key validity. A remote user who can obtain a signature on their key from a trusted third party can then add a second user ID to their key which is unsigned. The remote user must then switch the unsigned false user ID to primary and convince the victim to place the key on their keyring. If this situation, it is reported that some of the displays in PGP do not properly identify the false user ID as invalid because the second user ID is fully valid.

The vendor notes that when PGP displays validity information on a per-user ID basis, the display is always correct.

This issue was discovered and reported to Network Associates/PGP Security, Inc. by Sieuwert van Otterloo.
Impact:   A remote user could convince a recipient that the PGP key signature is valid when it is not in certain situations.
Solution:   A fix has been issued to ensure that all key validity displays in PGP properly mark the unsigned user ID as invalid.

Hotfixes are reportedly available for the following products:
* PGP Corporate Desktop v7.1 (MacOS9/Win32)
* PGP Personal Security v7.0.3 (MacOS9/Win32)
* PGP Freeware v7.0.3 (MacOS9/Win32)
* PGP E-Business Server v7.1 (Linux/Solaris/AIX/HPUX/Win32)

Product upgrades are available for the following products:
* PGP E-Business Server v6.5.8x (OS/390)
* PGP E-Business Server v7.0.4 (Linux/Solaris/AIX/HPUX/Win32)

The hotfixes and upgrades are available at:
http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp
Vendor URL:  www.pgp.com/support/product-advisories/pgpsdk.asp (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any), MacOS, UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Information on Other Versions) Re: PGP May Fail to Warn of Invalid Signatures in Certain Situations   (Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>)
This is a follow-up message.


 Source Message Contents
Date:  Tue, 4 Sep 2001 16:37:07 +0200
Subject:  PGPsdk Key Validity Vulnerability


http://www.pgp.com/support/product-advisories/pgpsdk.asp 

A vulnerability in PGP's display of key validity has been discovered
that could allow an attacker to fool users into thinking that a valid
signature was created by what is actually an invalid user ID. If the
attacker can obtain a signature on their key from a trusted third party,
they can then add a second user ID to their key which is unsigned. The
attacker must then switch the unsigned false user ID to primary and
convince the victim to place the key on their keyring. In such a case,
some of the displays in PGP do not properly identify the false user ID
as invalid because the second user ID is fully valid. Whenever PGP
displays validity information on a per-user ID basis, the display is
correct. Thus, attentive users who examine the user IDs of all public
keys which they import to their keyrings will immediately notice this
problem before it could have any impact.

This issue was discovered and reported to Network Associates/PGP
Security, Inc. by Sieuwert van Otterloo.

This issue has been corrected such that all key validity displays in PGP
will properly mark the unsigned user ID as invalid. Hotfixes are now
available for the following products:
* PGP Corporate Desktop v7.1 (MacOS9/Win32)
* PGP Personal Security v7.0.3 (MacOS9/Win32)
* PGP Freeware v7.0.3 (MacOS9/Win32)
* PGP E-Business Server v7.1 (Linux/Solaris/AIX/HPUX/Win32)

Product upgrades are available for the following products:
* PGP E-Business Server v6.5.8x (OS/390)
* PGP E-Business Server v7.0.4 (Linux/Solaris/AIX/HPUX/Win32)

The hotfixes and upgrades can be found at:
http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp

Network Associates/PGP Security Inc. has published the PGPsdk source
code in electronic form for academic and cryptographic peer review. The
source packages can be downloaded from:
http://www.pgp.com/downloads/default.asp


-- 
 Patrick Oonk - PO1-6BONE - E: patrick@pine.nl - www.pine.nl/~patrick
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk@my.security.nl
 T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
 Excuse of the day: disks spinning backwards - toggle the
 hemisphere jumper.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC