SigSpoof
From HandWiki
Short description: Security vulnerabilities that affected GNU Privacy Guard
| CVE identifier(s) | CVE-2018-12020 |
|---|---|
| Date discovered | June 2018 |
| Discoverer | Marcus Brinkmann |
| Affected software | GNU Privacy Guard (GnuPG) from v0.2.2 to v2.2.8. |
SigSpoof (CVE-2018-12020) is a family of security vulnerabilities that affected the software package GNU Privacy Guard ("GnuPG") since version 0.2.2, that was released in 1998.[1] Several other software packages that make use of GnuPG were also affected, such as Pass and Enigmail.[2][1]
In un-patched versions of affected software, SigSpoof attacks allow cryptographic signatures to be convincingly spoofed, under certain circumstances.[1][3][4][2][5] This potentially enables a wide range of subsidiary attacks to succeed.[1][3][4][2][5]
References
- ↑ 1.0 1.1 1.2 1.3 Goodin, Dan (2018-06-14). "Decades-old PGP bug allowed hackers to spoof just about anyone's signature". https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/.
- ↑ 2.0 2.1 2.2 Chirgwin, Richard (2018-06-19). "Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug". https://www.theregister.co.uk/2018/06/19/gnupg_popped_again_in_pass/.
- ↑ 3.0 3.1 Böck, Hanno (2018-06-13). "SigSpoof: Signaturen fälschen mit GnuPG". https://www.golem.de/news/sigspoof-signaturen-faelschen-mit-gnupg-1806-134940.html.
- ↑ 4.0 4.1 von Westernhagen, Olivia. "Enigmail und GPG Suite: Neue Mail-Plugin-Versionen schließen GnuPG-Lücke". https://www.heise.de/security/meldung/Enigmail-und-GPG-Suite-Neue-Mail-Plugin-Versionen-schliessen-GnuPG-Luecke-4078685.html.
- ↑ 5.0 5.1 "20 Jahre alter Fehler entdeckt: PGP-Signaturen ließen sich einfach fälschen - derStandard.at". 2018-06-18. https://derstandard.at/2000081781101/20-Jahre-alter-Fehler-entdeckt-PGP-Signaturen-liessen-sich-einfach.
 |  |
