SigSpoof

{{Technical|date=September 2018}}

{{short description|Security vulnerabilities that affected GNU Privacy Guard}}

{{Use dmy dates|date=July 2019|cs1-dates=y}}

{{Infobox bug

| name = SigSpoof

| image =

| caption =

| CVE = {{CVE|2018-12020}}

| discovered = {{Start date and age|2018|06|}}

| patched =

| discoverer = Marcus Brinkmann

| affected software = GNU Privacy Guard (GnuPG) from v0.2.2 to v2.2.8.

| website =

}}

SigSpoof ({{CVE|2018-12020}}) is a family of security vulnerabilities that affected the software package GNU Privacy Guard ("GnuPG") since version 0.2.2, that was released in 1998. Several other software packages that make use of GnuPG were also affected, such as Pass and Enigmail.

In un-patched versions of affected software, SigSpoof attacks allow cryptographic signatures to be convincingly spoofed, under certain circumstances. This potentially enables a wide range of subsidiary attacks to succeed.

References

{{reflist|refs=

{{cite web|url=https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/|title=Decades-old PGP bug allowed hackers to spoof just about anyone's signature|website=Ars Technica|date=2018-06-14|last=Goodin|first=Dan|access-date=2018-10-08}}

{{cite web|url=https://www.golem.de/news/sigspoof-signaturen-faelschen-mit-gnupg-1806-134940.html|title=SigSpoof: Signaturen fälschen mit GnuPG|website=Golem.de|last=Böck|first=Hanno|date=2018-06-13|access-date=2018-10-08}}

{{cite web|url=https://www.heise.de/security/meldung/Enigmail-und-GPG-Suite-Neue-Mail-Plugin-Versionen-schliessen-GnuPG-Luecke-4078685.html|title=Enigmail und GPG Suite: Neue Mail-Plugin-Versionen schließen GnuPG-Lücke|last=von Westernhagen|first=Olivia|website=Heise Security|date=14 June 2018 |access-date=2018-10-08}}

{{cite web|url=https://www.theregister.co.uk/2018/06/19/gnupg_popped_again_in_pass/|title=Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug|website=The Register|last=Chirgwin|first=Richard|date=2018-06-19|access-date=2018-10-08}}

{{cite web|url=https://derstandard.at/2000081781101/20-Jahre-alter-Fehler-entdeckt-PGP-Signaturen-liessen-sich-einfach|title=20 Jahre alter Fehler entdeckt: PGP-Signaturen ließen sich einfach fälschen - derStandard.at|website=Der Standard|date=2018-06-18|access-date=2018-10-08}}

}}

{{Hacking in the 2010s}}

Category:Vulnerability

Category:Computer security exploits

{{computer-security-stub}}