SigSpoof

Last updated

SigSpoof
CVE identifier CVE- 2018-12020
Date discoveredJune 2018;7 years ago (2018-06)
DiscovererMarcus Brinkmann
Affected software GNU Privacy Guard (GnuPG) from v0.2.2 to v2.2.8.

SigSpoof (CVE - 2018-12020) is a family of security vulnerabilities that affected the software package GNU Privacy Guard ("GnuPG") since version 0.2.2, that was released in 1998. [1] Several other software packages that make use of GnuPG were also affected, such as Pass and Enigmail. [2] [1]

In un-patched versions of affected software, SigSpoof attacks allow cryptographic signatures to be convincingly spoofed, under certain circumstances. [1] [3] [4] [2] [5] This potentially enables a wide range of subsidiary attacks to succeed. [1] [3] [4] [2] [5]

References

  1. 1 2 3 4 Goodin, Dan (2018-06-14). "Decades-old PGP bug allowed hackers to spoof just about anyone's signature". Ars Technica. Retrieved 2018-10-08.
  2. 1 2 3 Chirgwin, Richard (2018-06-19). "Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug". The Register. Retrieved 2018-10-08.
  3. 1 2 Böck, Hanno (2018-06-13). "SigSpoof: Signaturen fälschen mit GnuPG". Golem.de. Retrieved 2018-10-08.
  4. 1 2 von Westernhagen, Olivia (2018-06-14). "Enigmail und GPG Suite: Neue Mail-Plugin-Versionen schließen GnuPG-Lücke". Heise Security. Retrieved 2018-10-08.
  5. 1 2 "20 Jahre alter Fehler entdeckt: PGP-Signaturen ließen sich einfach fälschen - derStandard.at". Der Standard. 2018-06-18. Retrieved 2018-10-08.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.