[Announce] [CVE-2022-3515] GnuPG / Libksba Security Advisory

Werner Koch wk at gnupg.org
Mon Oct 17 09:43:56 CEST 2022


           __________________________________________________

                  SECURITY ADVISORY FOR LIBKSBA/GNUPG
                            (CVE-2022-3515)

                             g10 Code GmbH
           __________________________________________________


                               2022-10-17


Integer Overflow in LibKSBA / GnuPG
===================================

  A severe bug has been found in [Libksba] , the library used by GnuPG
  for parsing the ASN.1 structures as used by S/MIME.  The bug affects
  all versions of [Libksba] before 1.6.2 and may be used for remote code
  execution.

     *Updating this library is thus important*.


Who is affected
~~~~~~~~~~~~~~~

  The major user of Libksba is /gpgsm/, the S/MIME cousin of /gpg/.
  There it is used to parse all kind of input data, in particular signed
  or encrypted data in files or in mails.  Feeding a user with malicious
  data can thus be easily achieved.

  A second user of Libksba is /dirmngr/, which is responsible for
  loading and parsing Certificate Revocation Lists (CRLs) and for
  verifying certificates used by TLS (i.e. https connections).  Mounting
  an attack is a bit more complex but can anyway be easily done using a
  rogue web server to serve a Web Key Directory, certificates, or CRLs.

  An exploit is not yet publicly known but very straightforward to
  create for experienced crooks.

  Affected to our knowledge are:

  - Most software using /Libksba/ versions up to 1.6.1

  - All /Gpg4win/ versions from version 2.0.0 up to 4.0.3

  - All /GnuPG VS-Desktop/ versions from 3.1.16 up to 3.1.24

  - All /GnuPG installers for Windows/ from version 2.3.0 up to 2.3.7

  - All /GnuPG LTS installers for Windows/ from version 2.1.0 up to
    2.2.39



How to fix
~~~~~~~~~~

  If you are on a Unix or Linux system you should get the latest version
  of Libksba (1.6.2 or newer), build the software and install the new
  shared library.  Restart any background processes (e.g. `gpgconf
  --kill all' for GnuPG).  In the rare case that Libksba is statically
  linked remember to rebuild those binaries.

  If your are on Windows or if you use an AppImage of GnuPG VS-Desktop
  update to the latest version:

  - Gpgwin version 4.0.4 or newer
  - GnuPG VS-Desktop version 3.1.25 or newer (MSI or AppImage)
  - GnuPG installer for Windows version 2.3.8
  - GnuPG LTS installer for Windows version 2.2.40

  In case you are not yet ready to deploy a new version, please extract
  `libksba-8.dll' from the respective package and replace the original
  one by this one.  This is sufficient to fix the security issue.

  See https://gnupg.org/download for links to the latest packages.
  For Gpg4win see https://gpg4win.org


How to check whether GnuPG has been fixed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  GnuPG is the most prominent user of Libksba and it is not immediately
  visible whether a fixed version of Libksba is used. To check this run:

  ,----
  | gpgconf --show-versions
  `----

  and watch out for a line like

  ,----
  | * KSBA 1.6.2 (xxxxx)
  `----

  If you see a version number of 1.6.2 or newer, you got the fix.


CVE
~~~

  GnuPG-bug-id: 6230 (https://dev.gnupg.org/T6230)
  CVE ........: CVE-2022-3515
  CVSS .......: 8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  Other-IDs ..: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18927

  CVSS taken from the Trend Micro Zero Day Initiative report.


Technical background
====================

  The task of Libksba is to parse and build ASN.1 objects as used by
  S/MIME, X.509, and CMS.  The used encoding (BER, DER) is based on
  tag-length-value objects.  The function /_ksba_ber_read_tl/ parses
  such data and returns the tag and associated information in this
  structure:

  ,----
  | struct tag_info {
  |   enum tag_class class;
  |   int is_constructed;
  |   unsigned long tag;
  |   unsigned long length;  /* Length part of the TLV */
  |   int ndef;              /* It is an indefinite length */
  |   size_t nhdr;           /* Number of bytes in the TL */
  |   unsigned char buf[10]; /* Buffer for the TL */
  |   const char *err_string;
  |   int non_der;
  | };
  `----

  At several places we need to copy the objects to a local buffer.  For
  example we copy OIDs to a statically encoded buffer for further
  processing:

  ,----
  | struct tag_info ti;
  | unsigned char tmpbuf[500]; /* for OID or algorithmIdentifier */
  | [...]
  | if (ti.nhdr + ti.length >= DIM(tmpbuf))
  |   return gpg_error (GPG_ERR_TOO_LARGE);
  | memcpy (tmpbuf, ti.buf, ti.nhdr);
  | err = read_buffer (crl->reader, tmpbuf+ti.nhdr, ti.length);
  `----

  It is obvious that the sum of the header length (although less than 10
  bytes) and the announced length of the value can easily wrap around
  and pass the check.  The result is then an overflow of /tmpbuf/ with
  all the usual consequences.  The code has been there for ages and it
  seems that the audits missed this because, well, there is some
  overflow check and a too brief check may have only noticed that the
  memcpy if fine.

  The fix for this is easy because we can check for an overflow right
  away in the parser.  Thus /_ksba_ber_read_tl/ finally does this extra
  check:

  ,----
  | if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
  |   {
  |     ti->err_string = "header+length would overflow";
  |     return gpg_error (GPG_ERR_EOVERFLOW);
  |   }
  `----


Thanks
~~~~~~

  This vulnerability was discovered by:
  Anonymous working with Trend Micro Zero Day Initiative

  The report was received on 2022-10-04, fix pushed 2022-10-05, new
  source code release 2002-10-07, binary releases and announcement on
  2022-10-17.




[Libksba] https://gnupg.org/software/libksba/


-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20221017/c2f6bc77/attachment-0001.sig>
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce


More information about the Gnupg-devel mailing list