A “serious” vulnerability in GNU Privacy Guard’s (GnuPG) Libgcrypt encryption software could have allowed an attacker to write arbitrary data to the target machine, which could lead to remote code execution.
The bug, which affects libgcrypt version 1.9.0, was discovered on January 28 by Tavis Ormandy of Project Zero, a Google security research unit dedicated to finding zero-day bugs in hardware and software systems. .
The vulnerability does not affect any other version of Libgcrypt.
“There is a buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code,” Ormandy said. “Only decrypting some data can overflow a dynamic storage buffer with data controlled by the attacker, no verification or signature is validated before the vulnerability occurs.”
GnuPG addressed the weakness almost immediately a day after the release, while urging users to stop using the vulnerable version. The latest version can be downloaded here.
The Libgcrypt library is a set of open source cryptographic tools offered as part of the GnuPG software package for encrypting and signing data and communications. An implementation of OpenPGP, is used for digital security in many Linux distributions such as Fedora and Gentoo, although it is not used as much as OpenSSL or LibreSSL.
According to GnuPG, the bug appears to have been introduced in 1.9.0 during its development phase two years ago as part of a change to “reduce the overhead of the generic hash script function,” but it was only detected last week by Google Project Zero.
Therefore, all an attacker has to do to trigger this critical defect is to send to the library a block of data specially designed to decrypt it, thus tricking the application into executing an arbitrary piece of malicious code embedded in it (also known as shellcode) or block a program (in this case, gpg) that depends on the Libgcrypt library.
“Exploiting this bug is simple and therefore immediate action is needed for 1.9.0 users,” noted Libgcrypt author Werner Koch. “The tarballs 1.9.0 on our FTP server have been renamed, so scripts will no longer be able to get this version.”