SigSpoof PGP Spoofing Vulnerability

A vulnerability in the GnuPG implementation of the OpenPGP encryption standard, referred to as SigSpoof, has been detailed by a security researcher.

Threat ID:: CC-2502
Category:: Exploit
Threat Severity:: Low
Threat Vector:
Published:: 20 June 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A vulnerability in the GnuPG implementation of the OpenPGP encryption standard, referred to as SigSpoof, has been detailed by a security researcher.

Threat details

They claim that an attacker could exploit this vulnerability to spoof the digital signature of any user with a public key.

Digital signatures are used to determine an encrypted message's origin. Typically, a private encryption key is used by the source to indicate it is signed, SigSpoof makes it possible to sign messages with a public encryption key or key ID, both of which are often freely published on the Internet.

The vulnerability itself lies in how the affected tools enable the verbose setting. When this is enabled metadata can be hidden within an encrypted message in such a way as to appear as if it is the result of a legitimate signature verification. The tools can then cause email clients to incorrectly indicate the messages are cryptographically signed by someone chosen by the user.

For further information:

Remediation steps

Type	Step
	Enigmail, GnuPG, GPGTools and python-gnupg have all been updated to rectify this vulnerability. Users are advised to upgrade their affected systems immediately. If you suspect your tools may be affected please contact your relevant supplier to verify.

Last edited: 9 October 2020 11:35 am