ASA-2019-00529 – OpenPGP.js: Information from unhashed subpackets is trusted

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00529

Identifier(s)

ASA-2019-00529, CVE-2019-9154

Title

Information from unhashed subpackets is trusted

Vendor(s)

ProtonMail

Product(s)

OpenPGP.js

Affected version(s)

OpenPGP.js versions before 4.2.0

Fixed version(s)

OpenPGP.js version 4.2.0

Proof of concept

Yes

Description

OpenPGP signature subpackets contain information related to a signature (e.g. the creation timestamp). These subpackets may appear in a “hashed” and “unhashed” subpacket container. While the information in the hashed subpackets is signed, the unhashed subpackets are not cryptographically protected. OpenPGP.js however does not distinguish between these subpackets. When parsing a signature packet, the signed information is parsed first. When the unhashed packets are read, the information from the hashed packets is overwritten.

An attacker could arbitrarily modify the contents of e.g. a key certification signature or revocation signature. As a result, the attacker could e.g. convince a victim to use an obsolete key for encryption.

Technical details

Unknown

Credits

Wolfgang Ettlinger (SEC Consult Vulnerability Lab)

Reference(s)

Multiple Vulnerabilities in OpenPGP.js
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/

Mailvelope Extensions Security Audit
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html

Mailvelope Extensions Security Audit [PDF]
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.pdf?__blob=publicationFile

SEC_Consult_BSI_Mailvelope-unsigned_subpackets.txt
https://sec-consult.com/wp-content/uploads/2019/08/SEC_Consult_BSI_Mailvelope-unsigned_subpackets.txt

Release v4.2.0 – Security Release · openpgpjs/openpgpjs
https://github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0

Don’t trust unhashed signature subpackets
https://github.com/openpgpjs/openpgpjs/pull/797/commits/47138eed61473e13ee8f05931119d3e10542c5e1

CVE-2019-9154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9154

CVE-2019-9154
https://nvd.nist.gov/vuln/detail/CVE-2019-9154

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 4, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.