Boletin Seguridad 2000-010

To: gasu en asc unam mx, ayuda en linux org mx
Subject: Boletin Seguridad 2000-010
From: Area de Seguridad en Computo <asc en conga super unam mx>
Date: Mon, 28 Aug 2000 03:00:03 -0500 (CDT)
Cc: mx-seguridad en asc unam mx, asc-avisos en asc unam mx
In-reply-to: <Pine.LNX.4.21.0008271616160.12633-100000@conga.super.unam.mx>
Sender: owner-ayuda en linux org mx
-----BEGIN PGP SIGNED MESSAGE-----


 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  
                    'Area de Seguridad en C'omputo
  
                            DGSCA- UNAM
  
                    Bolet'in de Seguridad 2000-010
  
          PGP permite cifrado de datos sin la autorizaci'on de ADK's
  
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  
 
 
 Fecha de Liberaci'on : 24 de Agosto del 2000
 Ultima Revisi'on :     27 de Agosto del 2000
 Fuente:                CERT/CC y diversos reportes de Equipos de Respuesta
  		        a Incidentes
 
 
 , , , , , , , , , , , , 
 * Sistemas Afectados  *
 , , , , , , , , , , , , 
 
 Todas las versiones del programa PGP contenidas en las versiones 5.5.X a
 la versi'on 5.5.3, en su formato de version US y version internacional.

 , , , , , , , , , , , , , , , 
 * Descripci'on del Problema *
 , , , , , , , , , , , , , , , 

Las llaves de descifrado adicionales mejor conocidas como (ADK'S) son una
modalidad introducida dentro del software PGP(Pretty Good Privacy) en las
versiones 5.5.X a las versiones 6.5.3 que permiten el descifrado de llaves
autorizado para que estas sean an~adidas al certificado de llave publica
del usuario. Sin embargo, una bandera contenida en el programa PGP permite
que las llaves de descifrado adicionales puedan ser an~adidas a un
certificado al ser usado para su cifrado.

Los datos cifrados con PGP 5.5.X a las versiones 6.5.3 usan un certificado
modificado el cual generar'a el texto cifrado con el ADK. El intruso el
cual modifica el certificado puede obtener el texto en formato plano de
este texto cifrado.

Como resultado de esto los m'etodos de la evaluacion de legitimidad de un
certificado p'ublico tales comola verificaci'on  fingerprint, no resultan
suficientemente bastas para los usuarios que utilizan dichas versiones.

A continuaci'on anexamos el contenido original de dicho boletin, el cual
puede ser obtenido en su formato Original de los siguientes URL's :

http://www.cert.org/advisories/CA-2000-18.html
http://cryptome.org/pgp-badbug.htm
http://senderek.de/security/key-experiments.html

- ------------------------------------------------------------------------

I. Description
A serious problem in the handling of certificates when encrypting with PGP
versions 5.5.x through 6.5.3 has recently been discovered by Ralf
Senderek. A detailed description of his research and conclusions can be
found at 

http://senderek.de/security/key-experiments.html 
This advisory refers to "PGP certificates", which most users would refer
to as a "PGP keys". PGP certificates are the files used to store and
exchange keys. A certificate contains one or more keys, as well as other
information such as the creation time, signatures by other keys, and
"additional decryption keys". 

An Additional Decryption Key (ADK) is a mechanism by which a second
decryption key can be associated with a user's primary key in a
certificate. All data encrypted for the primary key would also be
encrypted with the second key. This configuration might be used, for
example, in environments where data encrypted with an individual's key
also needs to be available to their employer. 

The ADK feature is intended to only be available on those certificates
where the user specifically consented to having an additional key
associated with theirs. However, because of an implementation flaw in some
versions of PGP, ADKs added to a victim's certificate by an attacker may
be used for encryption in addition to the victim's key without their
consent. 

Since a user's public key certificate is often widely distributed, an
attacker could make this modification to a specific copy of the
certificate without the legitimate user's knowledge. When a vulnerable
version of PGP uses the modified certificate for encryption, it fails to
detect that the ADK is contained in the unsigned portion of the
certificate. Because PGP does not report an invalid signature, senders
using the modified certificate have no way to detect the modification
without complicated manual inspection. 

  
 


No legitimately produced PGP certificate will exhibit this vulnerability,
nor is this an inherent weakness in the ADK functionality. Your exposure
to this vulnerability is independent of whether or not you legitimately
employ ADKs. 

The PGP Software Development Kit (PGP SDK) has this vulnerability,
implying that PGP plugins and other PGP enabled applications may be
vulnerable as well. We will provide additional information as it becomes
available. 

II. Impact
Attackers who are able to modify a victim's public certificate may be able
to recover the plaintext of any ciphertext sent to the victim using the
modified certificate. 

For this vulnerability to be exploited, the following conditions must
hold: 

the sender must be using a vulnerable version of PGP 
the sender must be encrypting data with a certificate modified by the
attacker 
the sender must acknowledge a warning dialog that an ADK is associated
with the certificate 
the sender must already have the key for the bogus ADK on their local
keyring 
the bogus ADK must be a certificate signed by a CA that the sender trusts 
the attacker must be able to obtain the ciphertext sent from the sender to
the victim 
Taken together, these conditions limit the likely exploitation of this
vulnerability to those situations in which the key identified as the ADK
is a known valid key. These conditions might occur when the attacker is an
insider known to the victim, but are unlikely to occur if the attacker is
a completely unrelated third party. 

Viewing the keys in a GUI interface clearly shows that an ADK is
associated with a given recipient, as shown in this image. 

Since the key associated with the ADK is clearly listed as one of the
recipients of the ciphertext, it is likely that the sender might notice
this and be able to identify the attacker. 

The recipient may use any type of PGP key, including RSA and
Diffie-Hellman. The version of PGP used by the recipient has no impact on
the attack. 

III. Solution
Apply a patch
Network Associates has produced a new version of PGP 6.5 which corrects
this vulnerability by requiring that the ADK be included in the signed
portion of the certificate. 

Appendix A contains information provided by vendors for this advisory. We
will update the appendix as we receive more information. If you do not see
your vendor's name, the CERT/CC did not hear from that vendor. Please
contact your vendor directly.

Check certificates for ADKs before adding them to a keyring.
Users of PGP who want to ensure that they are not using a modified
certificate should check for the existence of ADKs when adding new keys to
their keyring. Certificates that do not have ADKs are not vulnerable to
this problem. Certificates which do have ADKs may be legitimate or
modified and should be confirmed using an out-of-band communication. 

Users of PGP 6.x for Windows and MacOS can test for the presence of ADKs
in a certificate by right clicking on the certificate and selecting "Key
Properties". If the ADK tab is present, the key has one or more ADKs and
might be a malicious certificate. We are not aware of a way to identify
ADKs in the UNIX command line version of PGP 5.x or 6.x. 

Users of GnuPG can test for certificates with ADKs by running the command 

gpg --list-packet 
Certificates with legitimate ADKs will contain in the output 

hashed subpkt 10 len 23 (additional recipient request) 
while those missing the "hashed" keyword 
subpkt 10 len 23 (additional recipient request) 
appear to indicate maliciously modified certificates. 
Make a reliable copy of your public certificate publicly available.
Since the recipient of messages encrypted with a modified certificate
cannot prevent the plaintext from being recovered by the attacker, their
best course of action is to ensure that senders are able to easily obtain
legitimate copies of their public certificate. 

Until this problem has been widely corrected, you may wish to make your
legitimate certificate available in a location that is strongly
authenticated using a different technology, or to make it available in
more than one place. 

For example, the CERT/CC PGP certificate does NOT contain any ADKs, and a
legitimate version can be obtained from our SSL secured web site at 

https://www.cert.org/pgp/cert_pgp_key.asc 
You may also want to check that your public certificate has not been
modified on the public certificate servers. Changes are likely to be made
to the popular PGP certificate servers to detect and reject invalid
certificates that attempt to exploit this vulnerability. 

Appendix A. Vendor Information
Network Associates, Inc.
We at NAI/PGP Security regret this important bug in the ADK feature that
has been described on various Internet postings today (Thursday 24
Aug). We were made aware of this bug in PGP early this morning. 

We are responding as fast as we can, and expect to have new 6.5.x releases
out to fix this bug late Thursday evening. The MIT web site should have a
new PGP 6.5.x freeware release early Friday, and the NAI/PGP web site
should have patches out for the commercial releases at about the same
time. As of this afternoon (Thursday), the PGP key server at PGP already
filters out keys with the bogus ADK packets. We expect to have fixes
available for the other key servers that run our software by tomorrow. We
have also alerted the other vendors that make PGP key server software to
the problem, and expect Highware/Veridis in Belgium to have their key
servers filtering keys the same way by Friday. 

The fixes that we are releasing for the PGP client software filters out
the offending ADK packets. We already warn the users whenever they are
about to use an ADK, even in the normal case. 

We will have new information as soon as it becomes available at
http://www.pgp.com. 

Philip Zimmermann
prz en pgp com
19:00 PDT Thursday 24 Aug 2000


A signed version of this statement is available at 

CA-2000-18/pgp.asc 

- --------------------------------------------------------------------------------


 , , , , , , ,
 * INFORMACION *
 , , , , , , ,


 Para Mayor Informaci'on o Detalles de este bolet'in contactar a:

                 'Area de Seguridad en C'omputo
                 DGSCA- UNAM
                 Tel : 56 22 81 69
                 Fax : 56 22 80 43
                 E-Mail : asc en asc unam mx
                 http://www.asc.unam.mx
                 ftp://ftp.asc.unam.mx


- ---
Juan Carlos Guel L'opez
Area de Seguridad en C'omputo   E-mail: asc en conga super unam mx
DGSCA, UNAM                     Tel.: 5622-81-69  Fax: 5622-80-43
Circuito Exterior, C. U.        WWW: http://www.asc.unam.mx/
04510 Mexico D. F.              PGP: finger asc en ds5000 super unam mx 


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQEVAwUBOaocED6HeEeO/+C1AQH/AggAy/M4qWV03H+G4dadHEzhkTuR8NBCR8/6
oV7hhyvhLRC9dZFIAnjuTVPU065iu61a1HQp35rs0S3gl/C0WH9AtiT+7YpEP73N
duTTnucuIqF7s9clQh/ZNwWdyxyUKzWn01QHD/oBKMEpkSXM91nmD7nrGhcDFNh6
VMkvMnCDKG3YDZfF5iqmq2+dx2doAJVOn1nJvJOId8vFbHvL6X5aEDk1J7BqDf/C
s2afyPeuk/lJVP1O4LLEIhkBb5ioy4TVBhtXDH0NJIiGiiHsxTuja8LeSrwe5hV+
s4wptpXQ4UMMBKiQNlmmV7AaEHD/2qbbrIKbnqBdsc54c43ni8DlDA==
=e6Bh
-----END PGP SIGNATURE-----


---------------------------------------------------------
para salir de la lista, enviar un mensaje con las palabras
"unsubscribe ayuda" en el cuerpo a majordomo en linux org mx
Referencias:
- Boletin Seguridad 2000-009
  - De: Area de Seguridad en Computo
Previo por Fecha: Boletin Seguridad 2000-009
Siguiente por Fecha: Sobre proxy.
Previo por Hilo: Boletin Seguridad 2000-009
Siguiente por Hilo: Sobre proxy.
[Hilos de Discusión] [Fecha] [Tema] [Autor]