Connect with us

Hi, what are you looking for?


Data Protection

GnuPG Vulnerability Allows Spoofing of Message Signatures

GnuPG recently addressed an input sanitization vulnerability where a remote attacker could spoof arbitrary signatures.

GnuPG recently addressed an input sanitization vulnerability where a remote attacker could spoof arbitrary signatures.

Part of the GNU Project and also known as GPG, GnuPG is a complete and free implementation of the OpenPGP standard that enables the encryption and signing of data and communications. The hybrid-encryption software program has a versatile key management system and access modules for all kinds of public key directories.

Released earlier this month, GnuPG version 2.2.8 addresses CVE-2018-12020, a vulnerability affecting GnuPG, Enigmail, GPGTools and python-gnupg, Marcus Brinkmann, who discovered the bug, reveals. Brinkmann has dubbed the flaw SigSpoof.

“The signature verification routine in Enigmail, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a ‘–status-fd 2’ option, which allows remote attackers to spoof arbitrary signatures via the embedded ‘filename’ parameter in OpenPGP literal data packets, if the user has the verbose option set in their gpg.conf file,” he notes.

Status messages, GnuPG maintainer Werner Koch explains, are parsed by programs to get information from GPG about the validity of a signature. Status messages are created with the option “–status-fd N,” where N is a file descriptor. If N is 2, status messages and regular diagnostic messages share the stderr output channel.

The issue resides in the OpenPGP protocol allowing the inclusion of the file name of the original input file into a signed or encrypted message. The GnuPG tool can display a notice with that file name during decryption and verification, but it does not sanitize the file name, meaning that an attacker could include line feeds or other control characters in it.

Because of that, terminal control sequences could be injected, and the so-called status messages could be faked. Furthermore, the verification status of a signed email could also be faked.

“The attacker can inject arbitrary (fake) GnuPG status messages into the application parser to spoof signature verification and message decryption results. The attacker can control the key IDs, algorithm specifiers, creation times and user ids, and does not need any of the private or public keys involved,” Brinkmann explains.

Advertisement. Scroll to continue reading.

He also notes that status messages need to fit into 255 characters, this being the limitation for the “name of the encrypted file” in OpenPGP.

Brinkmann also published a proof of concept to show how signatures can be spoofed in Enigmail and GPGTools, and another to show how both the signature and encryption can be spoofed in Enigmail. Signature spoofing is also possible on the command line, he demonstrated.

While disabled by default, verbose is included in several recommended configurations for GnuPG, and it is one of the main causes for this vulnerability.

According to the researcher, users should make sure they don’t have verbose in gpg.conf and should avoid using gpg –verbose on the command line. Developers are advised to add –no-verbose to all invocations of gpg.

“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure. GnuPG is not only used for email security, but also to secure backups, software updates in distributions, and source code in version control systems like Git,” Brinkmann claims.

Related: Side-Channel Attack on Libgcrypt Allows RSA Key Recovery

Related: Critical Vulnerability Patched in GnuPG, Libgcrypt

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...