ISS X-Force Database: pgp-invalid-key-display(7081): PGP invalid key display

PGP invalid key display

pgp-invalid-key-display (7081)

Medium Risk

Description:

A common vulnerability in multiple PGP products developed by Network Associates involves the display of valid keys. This vulnerability could allow an attacker to forge valid signatures using an invalid key. A remote attacker could forge signatures by obtaining a signature on his key from a trusted third party. The attacker could then add an unsigned second user ID to this key, which could be switched to primary.

Platforms Affected:

PGP, Corporate Desktop 7.1
PGP, E-Business Server 6.5.8
PGP, E-Business Server 7.0.4
PGP, E-Business Server 7.1
PGP, Freeware 7.0.3
PGP, Personal Security 5.0
PGP, Personal Security 6.0.2
PGP, Personal Security 7.0.3

Remedy:

For PGP Corporate Desktop 7.1, PGP Personal Security 7.0.3, PGP Freeware 7.0.3, and PGP E-Business Server 7.1:
Apply the appropriate hotfix for your system, available from the PGP Web site. See References.

For PGP E-Business Server 6.5.8x and PGP E-Business Server 7.0.4:
Apply the appropriate hotfix for your system, available from the PGP Web site. See References.

Consequences:

Obtain Information

References:

PGP Security Advisory, PGPsdk Key Validity Vulnerability at http://www.pgp.com/support/product-advisories/pgpsdk.asp.
PGP Web site, PGP Hotfix at http://www.pgp.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp#corpdesktop.
BID-3280: PGP Invalid Key Display Vulnerability
CVE-2001-1016: PGP Corporate Desktop before 7.1, Personal Security before 7.0.3, Freeware before 7.0.3, and E-Business Server before 7.1 does not properly display when invalid userID's are used to sign a message, which could allow an attacker to make the user believe that the document has been signed by a trusted third party by adding a second, invalid user ID to a key which has already been signed by the third party, aka the PGPsdk Key Validity Vulnerability.
OSVDB ID: 1946: PGPsdk Display Invalid Key

Reported:

Sep 04, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page