A “severe” vulnerability in GNU Privacy Guard (GnuPG) Libgcrypt encryption software could have allowed an attacker to write arbitrary data to the target machine, which could lead to remote code execution.
The flaw, which affects libgcrypt version 1.9.0, was discovered on January 28 by Tavis Ormandy of Project Zero, a Google security research unit dedicated to finding zero-day errors in hardware and software systems.
No other version of Libgcrypt is affected by the vulnerability.
“There is an overrun of the heap buffer in libgcrypt due to an incorrect assumption in the block buffer management code,” Ormandy said. “Only data decryption can overflow a heap buffer with attacker-controlled data, no verification or signature is validated before the vulnerability occurs.”
GnuPG addressed the weakness almost immediately within a day of the disclosure, while urging users to stop using the vulnerable version. The latest version can be downloaded here.
The Libgcrypt Library is a set of open-source cryptographic tools offered as part of the GnuPG software suite to encrypt and sign data and communications. An implementation of OpenPGP is used for digital security in many Linux distributions, such as Fedora and Gentoo, although it is not as widely used as OpenSSL or LibreSSL.
According to GnuPG, the error appears to have been introduced in 1.9.0 during its development phase two years ago, as part of a change to “reduce overhead with the generic hash function”, but was only noticed last week. of Google Project Zero.
Thus, all an attacker must do to trigger this critical defect is to send the library a block of data specially created to decrypt it, thus deceiving the application to run an arbitrary piece of malicious code embedded in it (aka shell ) or block a program (in this case, gpg) that is based on the Libgcrypt library.
“Exploiting this bug is simple and therefore requires immediate action for 1.9.0 users,” noted Libgcrypt author Werner Koch. “The 1.9.0 tarballs on our FTP server have been renamed so that the scripts can no longer get this version.”