#VU20372 Improper Authentication in OpenPGP.js - CVE-2019-9154
Published: August 23, 2019 / Updated: August 23, 2019
Vulnerability identifier: #VU20372
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2019-9154
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenPGP.js
OpenPGP.js
Software vendor:
ProtonMail
ProtonMail
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the unhashed subpackets are not cryptographically protected. A remote attacker can arbitrarily modify the contents of e.g. a key certification signature or revocation signature. As a result, the attacker can e.g. convince a victim to use an obsolete key for encryption.
Remediation
Install updates from vendor's website.
External links
- https://github.com/openpgpjs/openpgpjs/pull/797
- https://github.com/openpgpjs/openpgpjs/pull/797/commits/47138eed61473e13ee8f05931119d3e10542c5e1
- https://github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0
- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/
- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html#download=1