Multiple vulnerabilities in OpenPGP.js
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-9153 CVE-2019-9154 CVE-2019-9155 |
| CWE-ID | CWE-287 CWE-310 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
OpenPGP.js Universal components / Libraries / Libraries used by multiple products |
| Vendor | ProtonMail |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU20371
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-9153
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due the software does not verify the signature type during verification of a message signature. A remote attacker can send a specially crafted message with replaced signatures with a "standalone" or "timestamp" signature and forge signed messages.
Install updates from vendor's website.
Vulnerable software versionsOpenPGP.js: 0.1.0 - 4.2.0
CPE2.3- cpe:2.3:a:protonmail:openpgp.js:0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:protonmail:openpgp.js:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:protonmail:openpgp.js:0.2.1:*:*:*:*:*:*:*
https://github.com/openpgpjs/openpgpjs/pull/797/commits/327d3e5392a6f59a4270569d200c7f7a2bfc4cbc
https://github.com/openpgpjs/openpgpjs/pull/816
https://github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailv...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Improper Authentication
EUVDB-ID: #VU20372
Risk: Medium
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-9154
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the unhashed subpackets are not cryptographically protected. A remote attacker can arbitrarily modify the contents of e.g. a key certification signature or revocation signature. As a result, the attacker can e.g. convince a victim to use an obsolete key for encryption.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOpenPGP.js: 0.1.0 - 4.2.0
CPE2.3- cpe:2.3:a:protonmail:openpgp.js:0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:protonmail:openpgp.js:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:protonmail:openpgp.js:0.2.1:*:*:*:*:*:*:*
https://github.com/openpgpjs/openpgpjs/pull/797
https://github.com/openpgpjs/openpgpjs/pull/797/commits/47138eed61473e13ee8f05931119d3e10542c5e1
https://github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html#download=1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Cryptographic issues
EUVDB-ID: #VU20375
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-9155
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionInstall updates from vendor's website.
Vulnerable software versionsOpenPGP.js: 0.1.0 - 4.2.0
CPE2.3- cpe:2.3:a:protonmail:openpgp.js:0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:protonmail:openpgp.js:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:protonmail:openpgp.js:0.2.1:*:*:*:*:*:*:*
https://github.com/openpgpjs/openpgpjs/pull/853
https://github.com/openpgpjs/openpgpjs/pull/853/commits/7ba4f8c655e7fd7706e8d7334e44b40fdf56c43e
https://github.com/openpgpjs/openpgpjs/releases/tag/v4.3.0
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html#download=1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
