Overview
PGP Desktop 10.0.3 and earlier versions as well as 10.1.0 are vulnerable to an unsigned data injection attack. PGP Command Line versions 9.6 and greater are not affected by this vulnerability.
Description
The PGP Desktop user interface incorrectly displays messages with unsigned data as signed. A user will not be able to distinguish the legitimate signed part from the malicious unsigned parts. Additional details may be found in PGP's KnowledgeBase article 2290, Symantec's Security Advisory SYM10-012, and Eric R. Verheul's Pretty Good Piggy-backing paper. |
Impact
An attacker could add a message part (attachment) to a valid, signed PGP message and the entire message, including the attacker's message part, would be reported to the reader as having a valid signature. |
Solution
Apply an Update Users should upgrade to version 10.0.3 SP2 or 10.1.0 SP1. |
PGP recommends the following workaround:
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
| Temporal | 0 | E:ND/RL:ND/RC:ND |
| Environmental | 0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Eric R. Verheul for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2010-3618 |
| Severity Metric: | 0.41 |
| Date Public: | 2010-11-16 |
| Date First Published: | 2010-11-18 |
| Date Last Updated: | 2010-11-19 16:34 UTC |
| Document Revision: | 26 |