BOSTON -- Core Security Technologies, provider of CORE IMPACT, the first-to-market penetration testing product for assessing specific information security risks, today issued an advisory disclosing a flaw in the GNU Privacy Guard (GnuPG or GPG), an OpenPGP-compliant cryptographic software system and part of the Free Software Foundations GNU software project and third-party email applications that rely on it for encrypted and signed email communications. CoreLabs, the research arm of Core Security, discovered that by exploiting this vulnerability an attacker can add arbitrary content to encrypted and/or signed emails in order to mislead recipients about the trustworthiness of a message. In addition, attackers can use this flaw to bypass content-filtering defenses (e.g., anti-spam mechanisms), which makes it particularly inconvenient to detect phishing attacks.
This vulnerability impacts users of a broad range of open-source email client software programs, including KMail, Evolution, Sylpheed, Mutt, and GNUMail. The vulnerability also affects Enigmail, an extension to the mail client of Mozilla/Netscape and Mozilla Thunderbird that allows users to access the authentication and encryption features provided by GnuPG. Enigmail and GnuPG have released new versions of their software to address this vulnerability. CoreLabs has also published a workaround to help users to detect and prevent exploitation.
This vulnerability is a good example of how very subtle implementation decisions on how to interface data communications between two applications, in this case email front-end extensions and GnuPG, can end up exposing end users to unexpected security weaknesses. said Iván Arce, CTO at Core Security Technologies. We continue to encourage and support the use of GnuPG as a convenient way to improve the security and privacy of communications. To that effect and to prevent traffic analysis attacks we also recommend that encryption should be turned on by default on every email.