#VU13258 Spoofing attack in GnuPG


Published: 2018-06-10 | Updated: 2018-06-11

Vulnerability identifier: #VU13258

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12020

CWE-ID: CWE-451

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GnuPG
Client/Desktop applications / Encryption software

Vendor: GNU

Description

The vulnerability allows a remote attacker to conduct spoofing attack.

The vulnerability exists due to an input validation flaw in the processing of filenames when displaying the filename. A remote attacker can send a signed and encrypted email message that includes the specially crafted name of the original input file, spoof status messages and fake the verification status of a signed email message.

Mitigation
Update to version 2.2.8.

Vulnerable software versions

GnuPG: 2.2.4 - 2.2.7

External links
http://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)
Red Hat update for gnupg
Red Hat update for gnupg
Amazon Linux AMI update for gnupg
Slackware Linux update for gnupg
SUSE Linux update for enigmail
OpenSUSE Linux update for enigmail
OpenSUSE Linux update for python-python-gnupg
OpenSUSE Linux update for gpg2
Arch Linux update for gnupg