Title: GNUMail.App GnuPG Arbitrary Content Injection Vulnerability
Severity: MODERATE
Description:
GNUMail.app is a clone of NeXT Mail.app application. It uses the GNUstep development framework.
GNUMail.app is prone to a vulnerability that may allow an attacker to add arbitrary content into a message without the end user knowing.
An attacker may be able to exploit this issue to add arbitrary content to a GnuPG signed and/or encrypted message. The problem stems from the display of the packets to the end user. The application improperly uses GnuPG to display the packets in a manner such that the end user doesn't realize the content has been modified. This is primarily due to the design of the OpenPGP protocol and may be avoided if the application properly uses '--status-fd'.
The following attack vectors are available to exploit this issue; other attack vectors may also be possible:
- Prepending plaintext to an only-signed message. This issue occurs when a single 'Literal()' packet is prepended to an existing message. GnuPG will report that the signature is correct for the original text, but will not report anything for the prepended text.
- Prepending plaintext to a clearsign message. Clearsign messages are messages signed and encapsulated to be sent as an email. An attacker can prepend plaintext to a clearsign message by first converting it to a GnuPG signed message and then prepending the text as detailed in the above example.
- Prepending plaintext to an encrypted and signed message. This issue is similar to the first where a single 'Literal()' packet is prepended to an existing encrypted message.
- Prepending an encrypted message to an encrypted and signed message. This issue requires that the prepended 'Literal()' message be encrypted first.
This vulnerability is due to the weakness discussed in BID 22757 (GnuPG Signed Message Arbitrary Content Injection Weakness) and has been assigned its own BID because of the specific way that GNUMail.app uses GnuPG.
This issue affects GNUMail.app versions prior to and including 1.1.2.
Affected Products:
- GNUMail.app GNUMail.app 1.1.2
References:
- Core Security: Impacket library
- GNUMail.app: GNUMail.app Homepage
- GnuPG: GnuPG Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
