Not much time has passed since we came to know about a critical vulnerability in PGP. The popular email encryption tool failed to hide encrypted messages. Once again, researchers have discovered a bug that allowed hackers to spoof digital email signatures of anyone. This SigSpoof vulnerability has affected several email encryption tools including GnuPG, Enigmail, and GPGTools for decades.
SigSpoof Vulnerability – Anyone Could Spoof Digital Signatures
On Wednesday, Marcus Brinkmann discovered a critical bug in email encryption tools that faded the significance of digital signatures. What he termed as ‘SigSpoof vulnerability’ allowed anyone to spoof digital signatures by using the public-private key method. Thus, a hacker could easily bypass signature verification in email encryption tools.
As reported by the researcher, the attack is similar to ‘phreaking’ phone lines – a method used in 1970’s for manipulating telephone call routing. Brinkmann termed this vulnerability, identified as CVE-2018-12020, as ‘SigSpoof’. As stated in his blog,
“The signature verification routine in Enigmail 18.104.22.168, GPGTools 2018.2, and python-GnuPG 0.4.2 parse the output of GnuPG 2.2.6 with a “–status-fd 2” option, which allows remote attackers to spoof arbitrary signatures via the embedded “filename” parameter in OpenPGP literal data packets, if the user has the verbose option set in their gpg.conf file.”
Security Updates Released
Brinkmann explained that SigSpoof vulnerability primarily affected selected versions of Enigmail, GPGTools, GnuPG, and python-GnuPG. Hence, the users can protect themselves by upgrading to Enigmail 2.0.7, GPGTools 2018.3, GnuPG 2.2.8 or 1.4.23, and python-GnuPG 0.4.3.
Yet, he expressed his concern about how this vulnerability posed a risk of hacking to the critical infrastructure for several decades.
“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure. GnuPG is not only used for email security, but also to secure backups, software updates in distributions, and source code in version control systems like Git.”
Email encryption vulnerabilities always arise as a serious threat to cybersecurity. A few weeks earlier, EFAIL bug in PGP and S/MIME encryption tools was discovered that exposed encrypted emails in plain text. Now that another bug has been discovered to allow for digital signatures to be spoofed, certainly there seems to be demand for more attention for improvement in email encryption.
Let us know your thoughts in the comments section below.