Allele Security Alert
ASA-2019-00529
Identifier(s)
ASA-2019-00529, CVE-2019-9154
Title
Information from unhashed subpackets is trusted
Vendor(s)
ProtonMail
Product(s)
OpenPGP.js
Affected version(s)
OpenPGP.js versions before 4.2.0
Fixed version(s)
OpenPGP.js version 4.2.0
Proof of concept
Yes
Description
OpenPGP signature subpackets contain information related to a signature (e.g. the creation timestamp). These subpackets may appear in a “hashed” and “unhashed” subpacket container. While the information in the hashed subpackets is signed, the unhashed subpackets are not cryptographically protected. OpenPGP.js however does not distinguish between these subpackets. When parsing a signature packet, the signed information is parsed first. When the unhashed packets are read, the information from the hashed packets is overwritten.
An attacker could arbitrarily modify the contents of e.g. a key certification signature or revocation signature. As a result, the attacker could e.g. convince a victim to use an obsolete key for encryption.
Technical details
Unknown
Credits
Wolfgang Ettlinger (SEC Consult Vulnerability Lab)
Reference(s)
Multiple Vulnerabilities in OpenPGP.js
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/
Mailvelope Extensions Security Audit
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html
Mailvelope Extensions Security Audit [PDF]
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.pdf?__blob=publicationFile
SEC_Consult_BSI_Mailvelope-unsigned_subpackets.txt
https://sec-consult.com/wp-content/uploads/2019/08/SEC_Consult_BSI_Mailvelope-unsigned_subpackets.txt
Release v4.2.0 – Security Release · openpgpjs/openpgpjs
https://github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0
Don’t trust unhashed signature subpackets
https://github.com/openpgpjs/openpgpjs/pull/797/commits/47138eed61473e13ee8f05931119d3e10542c5e1
CVE-2019-9154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9154
CVE-2019-9154
https://nvd.nist.gov/vuln/detail/CVE-2019-9154
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 4, 2019