CVE-2023-41037
Cleartext Signed Message Signature Spoofing in openpgp
Description
### Impact OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools: ``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This text is signed. -----BEGIN PGP SIGNATURE----- wnUEARMIACcFgmTkrNAJkInXCgj0fgcIFiEE1JlKzzDGQxZmmHkYidcKCPR+ BwgAAKXDAQDWGhI7tPbhB+jlKwe4+yPJ+9X8aWDUG60XFNi/w8T7ZgEAsAGd WJrkm/H5AXGZsqyqqO6IWGF0geTCd4mWm/CsveM= -----END PGP SIGNATURE----- ``` These messages typically contain a "Hash: ..." header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the "Hash: ..." texts when verifying the signature. As a result, malicious parties could add arbitrary text to a third-party Cleartext Signed Message, to lead the victim to believe that the arbitrary text was signed. A user or application is vulnerable to said attack vector if it verifies the CleartextMessage by only checking the returned `verified` property, discarding the associated `data` information, and instead _visually trusting_ the contents of the original message: ```js const cleartextMessage = ` -----BEGIN PGP SIGNED MESSAGE----- This text is not signed but you might think it is. Hash: SHA256 This text is signed. -----BEGIN PGP SIGNATURE----- wnUEARMIACcFgmTkrNAJkInXCgj0fgcIFiEE1JlKzzDGQxZmmHkYidcKCPR+ BwgAAKXDAQDWGhI7tPbhB+jlKwe4+yPJ+9X8aWDUG60XFNi/w8T7ZgEAsAGd WJrkm/H5AXGZsqyqqO6IWGF0geTCd4mWm/CsveM= -----END PGP SIGNATURE----- `; const message = await openpgp.readCleartextMessage({ cleartextMessage }); const verificationResult = await verifyCleartextMessage({ message, verificationKeys }); console.log(await verificationResult.verified); // output: true console.log(verificationResult.data); // output: 'This text is signed.' ``` Since `verificationResult.data` would always contain the actual signed data, users and apps that check this information are not vulnerable. Similarly, given a CleartextMessage object, retrieving the data using `getText()` or the `text` field returns only the contents that are considered when verifying the signature. Finally, re-armoring a CleartextMessage object (using `armor()` will also result in a "sanitised" version, with the extraneous text being removed. Because of this, we consider the vulnerability impact to be very limited when the CleartextMessage is processed programmatically; this is reflected in the Severity CVSS assessment, specifically in the scope's score ("Unchanged"). ### Patches - v5.10.1 (current stable version) will reject messages when calling `openpgp.readCleartextMessage()` - v4.10.11 (legacy version) will reject messages when calling `openpgp.cleartext.readArmored()` ### Workarounds Check the contents of `verificationResult.data` to see what data was actually signed, rather than visually trusting the contents of the armored message. ### References Similar CVE: https://sec-consult.com/vulnerability-lab/advisory/cleartext-message-spoofing-in-go-cryptography-libraries-cve-2019-11841/