Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Google Discloses Severe Bug in Libgcrypt Encryption Library—Impacting Many Projects

February 1, 2021

A “extreme” vulnerability in GNU Privateness Guard (GnuPG)’s Libgcrypt encryption software program may have allowed an attacker to put in writing arbitrary information to the goal machine, doubtlessly resulting in distant code execution.

The flaw, which impacts model 1.9.0 of libgcrypt, was found on January 28 by Tavis Ormandy of Challenge Zero, a safety analysis unit inside Google devoted to discovering zero-day bugs in {hardware} and software program programs.

No different variations of Libgcrypt are affected by the vulnerability.

“There’s a heap buffer overflow in libgcrypt resulting from an incorrect assumption within the block buffer administration code,” Ormandy said. “Simply decrypting some information can overflow a heap buffer with attacker managed information, no verification or signature is validated earlier than the vulnerability happens.”

password auditor

GnuPG addressed the weak point nearly instantly inside a day after disclosure, whereas urging customers to stop using the weak model. The most recent model will be downloaded here.

The Libgcrypt library is an open-source cryptographic toolkit provided as a part of GnuPG software program suite to encrypt and signal information and communications. An implementation of OpenPGP, it is used for digital safety in lots of Linux distributions corresponding to Fedora and Gentoo, though it is not as widely used as OpenSSL or LibreSSL.

Based on GnuPG, the bug seems to have been launched in 1.9.0 throughout its growth part two years in the past as a part of a change to “cut back overhead on generic hash write operate,” nevertheless it was solely noticed final week by Google Challenge Zero.

Thus all an attacker must do to set off this important flaw is to ship the library a block of specially-crafted information to decrypt, thus tricking the appliance into working an arbitrary fragment of malicious code embedded in it (aka shellcode) or crash a program (on this case, gpg) that depends on the Libgcrypt library.

“Exploiting this bug is easy and thus quick motion for 1.9.0 customers is required,” Libgcrypt writer Werner Koch noted. “The 1.9.0 tarballs on our FTP server have been renamed in order that scripts will not have the ability to get this model anymore.”

Posted in SecurityTags:
Write a comment