CVE-2023-41037: Cleartext Signed Message Signature Spoofing in openpgpjs

First published: Tue Aug 29 2023(Updated: )

### Impact OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools: ``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This text is signed. -----BEGIN PGP SIGNATURE----- wnUEARMIACcFgmTkrNAJkInXCgj0fgcIFiEE1JlKzzDGQxZmmHkYidcKCPR+ BwgAAKXDAQDWGhI7tPbhB+jlKwe4+yPJ+9X8aWDUG60XFNi/w8T7ZgEAsAGd WJrkm/H5AXGZsqyqqO6IWGF0geTCd4mWm/CsveM= -----END PGP SIGNATURE----- ``` These messages typically contain a "Hash: ..." header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the "Hash: ..." texts when verifying the signature. As a result, malicious parties could add arbitrary text to a third-party Cleartext Signed Message, to lead the victim to believe that the arbitrary text was signed. A user or application is vulnerable to said attack vector if it verifies the CleartextMessage by only checking the returned `verified` property, discarding the associated `data` information, and instead _visually trusting_ the contents of the original message: ```js const cleartextMessage = ` -----BEGIN PGP SIGNED MESSAGE----- This text is not signed but you might think it is. Hash: SHA256 This text is signed. -----BEGIN PGP SIGNATURE----- wnUEARMIACcFgmTkrNAJkInXCgj0fgcIFiEE1JlKzzDGQxZmmHkYidcKCPR+ BwgAAKXDAQDWGhI7tPbhB+jlKwe4+yPJ+9X8aWDUG60XFNi/w8T7ZgEAsAGd WJrkm/H5AXGZsqyqqO6IWGF0geTCd4mWm/CsveM= -----END PGP SIGNATURE----- `; const message = await openpgp.readCleartextMessage({ cleartextMessage }); const verificationResult = await verifyCleartextMessage({ message, verificationKeys }); console.log(await verificationResult.verified); // output: true console.log(verificationResult.data); // output: 'This text is signed.' ``` Since `verificationResult.data` would always contain the actual signed data, users and apps that check this information are not vulnerable. Similarly, given a CleartextMessage object, retrieving the data using `getText()` or the `text` field returns only the contents that are considered when verifying the signature. Finally, re-armoring a CleartextMessage object (using `armor()` will also result in a "sanitised" version, with the extraneous text being removed. Because of this, we consider the vulnerability impact to be very limited when the CleartextMessage is processed programmatically; this is reflected in the Severity CVSS assessment, specifically in the scope's score ("Unchanged"). ### Patches - v5.10.1 (current stable version) will reject messages when calling `openpgp.readCleartextMessage()` - v4.10.11 (legacy version) will reject messages when calling `openpgp.cleartext.readArmored()` ### Workarounds Check the contents of `verificationResult.data` to see what data was actually signed, rather than visually trusting the contents of the armored message. ### References Similar CVE: https://sec-consult.com/vulnerability-lab/advisory/cleartext-message-spoofing-in-go-cryptography-libraries-cve-2019-11841/

Credit: security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/github-advisory-latest
• alias/GHSA-ch3c-v47x-4pgp
• alias/CVE-2023-41037
• collector/github-advisory
• agent/type
• agent/references
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/weakness
• agent/severity
• agent/title
• agent/remedy
• agent/last-modified-date
• agent/description
• agent/event
• agent/first-publish-date
• agent/trending
• agent/source
• agent/tags
• collector/nvd-index
• agent/software-canonical-lookup-request
• collector/nvd-api
• agent/author
• package-manager/npm
• vendor/openpgpjs
• canonical/openpetra
• version/openpetra/5.0.0