Title: Mutt PGP/GnuPG Verified Email Signature Spoofing Vulnerability
Severity: MODERATE
Description:
Mutt is a freely available, open source mail user agent (MUA). It is available for the Unix and Linux platforms.
It is reported that Mutt contains a vulnerability that allows attackers to send email that spoofs the look of a successfully verified PGP/GnuPG email message.
By crafting an email message containing ^H characters, an attacker can create an email message that looks like it contains a valid PGP/GnuPG email signature. '^H' characters in several Unix utilities, including 'less', and 'man' interpret a sequence of characters such as 'x^Hx' to mean that the 'x' character should be displayed as bold. This originates from line printers, where they would imprint the characters twice, creating a bold effect.
In Mutt, this sequence of '^H' characters provides for creating bold lines of text, potentially simulating the look of the PGP/GnuPG output that Mutt usually includes when processing signed email messages. If the targeted user employs Mutt with a configuration that uses the same bold output for these lines, the attacker may make the message look almost identical to a properly signed and verified email.
This may allow an attacker to create a message that falsifies a correctly verified PGP/GnuPG signature. This could allow an attacker to spoof email from trusted sources. This will likely greatly increase the effectiveness of social engineering attacks since it may lend an air of authenticity to the message.
By sending messages with a MIME Content-Type of 'multipart/signed', the index mode 's' status character will be present as well.
In the index mode, messages with signatures have the 's' flag. Verified signatures change to 'S'. Ensuring that messages have the proper attributes will aid in the mitigation of this vulnerability. Verifying that "PGP signature successfully verified." is displayed in the status message area will also mitigate this vulnerability. The status message is not able to be spoofed by email contents unless the 'allow_ansi' option is enabled.
Versions 1.3.28 and 1.5.6 are reported affected by this vulnerability. Other versions are also likely affected.
Affected Products:
- Debian Linux 3.0.0
- Debian Linux 3.0.0 alpha
- Debian Linux 3.0.0 arm
- Debian Linux 3.0.0 hppa
- Debian Linux 3.0.0 ia-32
- Debian Linux 3.0.0 ia-64
- Debian Linux 3.0.0 m68k
- Debian Linux 3.0.0 mips
- Debian Linux 3.0.0 mipsel
- Debian Linux 3.0.0 ppc
- Debian Linux 3.0.0 s/390
- Debian Linux 3.0.0 sparc
- MandrakeSoft Linux Mandrake 8.2.0
- MandrakeSoft Linux Mandrake 8.2.0 ppc
- Mutt Mutt 1.3.28
- Mutt Mutt 1.5.6
References:
- Ademar de Souza Reis Jr. <ademar@conectiva.com.br>: PGP sign highlight on mutt
- Ademar de Souza Reis Jr. <ademar@conectiva.com.br>: PGP sign verification
- Mutt: Mutt Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
