SB2019082306 - Multiple vulnerabilities in OpenPGP.js

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2019-9153)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due the software does not verify the signature type during verification of a message signature. A remote attacker can send a specially crafted message with replaced signatures with a "standalone" or "timestamp" signature and  forge signed messages.

2) Improper Authentication (CVE-ID: CVE-2019-9154)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the unhashed subpackets are not cryptographically protected. A remote attacker can arbitrarily modify the contents of e.g. a key certification signature or revocation signature. As a result, the attacker can e.g. convince a victim to use an obsolete key for encryption.

3) Cryptographic issues (CVE-ID: CVE-2019-9155)

Remediation

Install update from vendor's website.

References

• https://github.com/openpgpjs/openpgpjs/pull/797/commits/327d3e5392a6f59a4270569d200c7f7a2bfc4cbc
• https://github.com/openpgpjs/openpgpjs/pull/816
• https://github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0
• https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/
• https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailv...
• https://github.com/openpgpjs/openpgpjs/pull/797
• https://github.com/openpgpjs/openpgpjs/pull/797/commits/47138eed61473e13ee8f05931119d3e10542c5e1
• https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html#download=1
• https://github.com/openpgpjs/openpgpjs/pull/853
• https://github.com/openpgpjs/openpgpjs/pull/853/commits/7ba4f8c655e7fd7706e8d7334e44b40fdf56c43e
• https://github.com/openpgpjs/openpgpjs/releases/tag/v4.3.0