A “severe” vulnerability in GNU Privacy Guard (GnuPG)’s Libgcrypt encryption software could have allowed an attacker to write arbitrary data to the target machine, potentially leading to remote code execution.
The flaw, which affects version 1.9.0 of libgcrypt, was discovered on January 28 by Tavis Ormandy of Project Zero, a security research unit within Google dedicated to finding zero-day bugs in hardware and software systems.
No other versions of Libgcrypt are affected by the vulnerability.
“There is a heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code,” Ormandy said. “Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs.”
The Libgcrypt library is an open-source cryptographic toolkit offered as part of GnuPG software suite to encrypt and sign data and communications. An implementation of OpenPGP, it’s used for digital security in many Linux distributions such as Fedora and Gentoo, although it isn’t as widely used as OpenSSL or LibreSSL.
According to GnuPG, the bug appears to have been introduced in 1.9.0 during its development phase two years ago as part of a change to “reduce overhead on generic hash write function,” but it was only spotted last week by Google Project Zero.
Thus all an attacker needs to do to trigger this critical flaw is to send the library a block of specially-crafted data to decrypt, thus tricking the application into running an arbitrary fragment of malicious code embedded in it (aka shellcode) or crash a program (in this case, gpg) that relies on the libgcrypt library.
“Exploiting this bug is simple and thus immediate action for 1.9.0 users is required,” Libgcrypt author Werner Koch noted. “The 1.9.0 tarballs on our FTP server have been renamed so that scripts won’t be able to get this version anymore.”
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944