diff --git a/misc/blog.gnupg.org/20221017-pepe-left-the-ksba.org b/misc/blog.gnupg.org/20221017-pepe-left-the-ksba.org new file mode 100644 index 0000000..4c929b2 --- /dev/null +++ b/misc/blog.gnupg.org/20221017-pepe-left-the-ksba.org @@ -0,0 +1,155 @@ +#+STARTUP: showall +#+OPTIONS: ^:{} num:nil toc:nil +#+STARTUP: showall +#+AUTHOR: g10 Code GmbH +#+DATE: 2022-10-17 +#+TITLE: Security Advisory for Libksba/GnuPG (GnuPG-bug-id: 6230) + +#+html:

Security Advisory for Libksba / GnuPG

+ +** Integer Overflow in LibKSBA / GnuPG + +A severe bug has been found in [[https://gnupg.org/software/libksba/][Libksba]] , the library used by GnuPG for +parsing the ASN.1 structures as used by S/MIME. The bug affects all +versions of [[https://gnupg.org/software/libksba/][Libksba]] before 1.6.2 and may be used for remote code +execution. *Updating this library is thus important*. + +*** Who is affected + +The major user of [[https://gnupg.org/software/libksba/][Libksba]] is /gpgsm/, the S/MIME cousin of /gpg/. +There it is used to parse all kind of input data, in particular signed +or encrypted data in files or in mails. Feeding a user with malicious +data can thus be easily achieved. + +A second user of [[https://gnupg.org/software/libksba/][Libksba]] is /dirmngr/, which is responsible for loading +and parsing Certificate Revocation Lists (CRLs) and for verifying +certificates used by TLS (i.e. https connections). Mounting an attack +is a bit more complex but can anyway be easily done using a rogue web +server to serve a Web Key Directory, certificates, or CRLs. + +An exploit is not yet publicly known but very straightforward to create +for experienced crooks. + +Affected to our knowledge are: + +- Most software using /Libksba/ versions up to 1.6.1 + +- All /Gpg4win/ versions from version 2.0.0 up to 4.0.3 + +- All /GnuPG VS-Desktop^{\reg}/ versions from 3.1.16 up to 3.1.24 + +- All /GnuPG installers for Windows/ from version 2.3.0 up to 2.3.7 + +- All /GnuPG LTS installers for Windows/ from version 2.1.0 up to 2.2.39 + + +*** How to fix + +If you are on a Unix or Linux system you should get the latest version +of Libksba (1.6.2 or newer), build the software and install the new +shared library. Restart any background processes (e.g. =gpgconf +--kill all= for GnuPG). In the rare case that Libksba is statically +linked remember to rebuild those binaries. + +If your are on Windows or if you use an AppImage of GnuPG VS-Desktop +update to the latest version: + +- Gpgwin version 4.0.4 or newer +- GnuPG VS-Desktop version 3.1.25 or newer (MSI or AppImage) +- GnuPG installer for Windows version 2.3.8 +- GnuPG LTS installer for Windows version 2.2.40 + +In case you are not yet ready to deploy a new version, please extract +=libksba-8.dll= from the respective package and replace the +original one by this one. This is sufficient to fix the security +issue. + + +*** How to check whether GnuPG has been fixed + +GnuPG is the most prominent user of Libksba and it is not immediately +visible whether a fixed version of Libksba is used. To check this run: + +: gpgconf --show-versions + +and watch out for a line like + +: * KSBA 1.6.2 (xxxxx) + +If you see a version number of 1.6.2 or newer, you got the fix. + +*** CVE + +- GnuPG-bug-id :: 6230 (https://dev.gnupg.org/T6230) +- CVE :: Not yet assigned. +- CVSS :: 8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H +- Other-IDs :: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18927 + +CVSS taken from the Trend Micro Zero Day Initiative report. + + +** Technical background + +The task of Libksba is to parse and build ASN.1 objects as used by +S/MIME, X.509, and CMS. The used encoding (BER, DER) is based on +tag-length-value objects. The function /_ksba_ber_read_tl/ parses +such data and returns the tag and associated information in this +structure: + +#+begin_src C +struct tag_info { + enum tag_class class; + int is_constructed; + unsigned long tag; + unsigned long length; /* Length part of the TLV */ + int ndef; /* It is an indefinite length */ + size_t nhdr; /* Number of bytes in the TL */ + unsigned char buf[10]; /* Buffer for the TL */ + const char *err_string; + int non_der; +}; +#+end_src + +At several places we need to copy the objects to a local buffer. For +example we copy OIDs to a statically encoded buffer for further +processing: + +#+begin_src C + struct tag_info ti; + unsigned char tmpbuf[500]; /* for OID or algorithmIdentifier */ + [...] + if (ti.nhdr + ti.length >= DIM(tmpbuf)) + return gpg_error (GPG_ERR_TOO_LARGE); + memcpy (tmpbuf, ti.buf, ti.nhdr); + err = read_buffer (crl->reader, tmpbuf+ti.nhdr, ti.length); +#+end_src + +It is obvious that the sum of the header length (although less than 10 +bytes) and the announced length of the value can easily wrap around +and pass the check. The result is then an overflow of /tmpbuf/ with +all the usual consequences. The code has been there for ages and it +seems that the audits missed this because, well, there is some +overflow check and a too brief check may have only noticed that the +memcpy if fine. + +The fix for this is easy because we can check for an overflow right +away in the parser. Thus /_ksba_ber_read_tl/ finally does this +extra check: + +#+begin_src C + if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) + { + ti->err_string = "header+length would overflow"; + return gpg_error (GPG_ERR_EOVERFLOW); + } +#+end_src + + +*** Thanks + +This vulnerability was discovered by:\\ +Anonymous working with Trend Micro Zero Day Initiative + +The report was received on 2022-10-04, fix pushed 2022-10-05, new +source code release 2002-10-07, binary releases and announcement on +2022-10-17.