PGP invalid key display

pgp-invalid-key-display (7081) The risk level is classified as MediumMedium Risk

Description:

A common vulnerability in multiple PGP products developed by Network Associates involves the display of valid keys. This vulnerability could allow an attacker to forge valid signatures using an invalid key. A remote attacker could forge signatures by obtaining a signature on his key from a trusted third party. The attacker could then add an unsigned second user ID to this key, which could be switched to primary.


Consequences:

Obtain Information

Remedy:

For PGP Corporate Desktop 7.1, PGP Personal Security 7.0.3, PGP Freeware 7.0.3, and PGP E-Business Server 7.1:
Apply the appropriate hotfix for your system, available from the PGP Web site. See References.

For PGP E-Business Server 6.5.8x and PGP E-Business Server 7.0.4:
Apply the appropriate hotfix for your system, available from the PGP Web site. See References.

References:

  • PGP Security Advisory: PGPsdk Key Validity Vulnerability.
  • PGP Web site: PGP Hotfix.
  • BID-3280: PGP Invalid Key Display Vulnerability
  • CVE-2001-1016: PGP Corporate Desktop before 7.1, Personal Security before 7.0.3, Freeware before 7.0.3, and E-Business Server before 7.1 does not properly display when invalid userID's are used to sign a message, which could allow an attacker to make the user believe that the document has been signed by a trusted third party by adding a second, invalid user ID to a key which has already been signed by the third party, aka the PGPsdk Key Validity Vulnerability.
  • OSVDB ID: 1946: PGPsdk Display Invalid Key

Platforms Affected:

  • PGP Corporate Desktop 7.1
  • PGP E-Business Server 6.5.8
  • PGP E-Business Server 7.0.4
  • PGP E-Business Server 7.1
  • PGP Freeware 7.0.3
  • PGP Personal Security 5.0
  • PGP Personal Security 6.0.2
  • PGP Personal Security 7.0.3

Reported:

Sep 04, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page