Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-11841

A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.

Published

2019-05-22T17:29:00.287

Last Modified

2024-11-21T04:21:52.537

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-347

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	golang	crypto	2019-03-25	Yes
Operating System	debian	debian_linux	8.0	Yes
Operating System	debian	debian_linux	9.0	Yes

References

http://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html Exploit, Third Party Advisory, VDB Entry ([email protected])
https://go.googlesource.com/crypto/ Product, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2019/09/msg00011.html Mailing List, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html Mailing List, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html ([email protected])
https://sec-consult.com/ Third Party Advisory ([email protected])
https://sec-consult.com/en/blog/advisories/cleartext-message-spoofing-in-go-cryptography-libraries-cve-2019-11841/ Exploit, Third Party Advisory ([email protected])
http://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://go.googlesource.com/crypto/ Product, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2019/09/msg00011.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html (af854a3a-2127-422b-91ae-364da2661108)
https://sec-consult.com/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://sec-consult.com/en/blog/advisories/cleartext-message-spoofing-in-go-cryptography-libraries-cve-2019-11841/ Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)