CLD-354 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-9234 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) gnupg
Deficiency Type SECURITY
Date Created 2018-04-04 14:07:15
Date Last Modified 2018-04-09 09:18:27

Version Specific Information:

Cucumber 1.0 i686 unknown
Cucumber 1.0 x86_64 unknown

Cucumber 1.1 i686 unknown
Cucumber 1.1 x86_64 unknown

Details:

=================================== Overview ===================================

GnuPG up to and including 2.2.5 does not enforce a configuration in which key
certification requires an offline master Certify key, which results in
apparently valid certifications that occurred only with access to a signing
subkey. 

================================ Initial Report ================================

From https://dev.gnupg.org/T3844:

When using a GnuPG smartcard in 2.2.4+ with an offline master [C]ertify key, it
is possible to sign the keys of others with only a [S]igning subkey present.

Once a key has been erroneously signed and pushed to keyservers in this way,
gpg won't allow it to be signed again correctly with the master key, claiming
it is already signed.

Was able to reproduce on 2.2.4 on Arch Linux and 2.2.5 on OSX Sierra with a
Yubikey 4 and RSA4096 subkeys and Yubikey Neo with RSA2048 subkeys. Also
reproduced with pcscd and with gpg built-in scdaemon.

Example:

[lrvick@kephel ~]$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.2
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/lrvick/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
[lrvick@kephel ~]$ gpg --card-status

Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240102010006057635220000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 05763522
Name of cardholder: Lance Vick
Language prefs ...: en
Sex ..............: male
URL of public key : https://lrvick.net/0x36C8AAA9.asc
Login data .......: lrvick
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 390
Signature key ....: 6755 3FBD A46B B71A BD2E  0B0B 8E47 A1EC 35A1 551D
      created ....: 2016-02-15 00:49:42
Encryption key....: 54BA 9099 5CCB D6D6 B0E6  8D27 CDAB 3CCD A649 FFDA
      created ....: 2009-05-09 02:05:34
Authentication key: 4654 2022 DCA1 27AD 42D8  B9FE 6C1F 8F1D 4D08 A9A6
      created ....: 2015-02-01 08:16:59
General key info..: sub  rsa4096/8E47A1EC35A1551D 2016-02-15 Lance R. Vick (Personal) 
sec#  rsa4096/E90A401336C8AAA9  created: 2009-05-09  expires: 2018-07-03
ssb#  rsa2048/8D5B2F41F66444E5  created: 2015-03-19  expires: 2018-05-29
ssb#  rsa2048/530106BDD94A0B8A  created: 2015-03-19  expires: 2018-05-29
ssb#  rsa2048/D362694AF189271D  created: 2015-03-19  expires: 2018-05-29
ssb>  rsa4096/CDAB3CCDA649FFDA  created: 2009-05-09  expires: 2018-07-03
                                card-no: 0006 05763522
ssb>  rsa4096/6C1F8F1D4D08A9A6  created: 2015-02-01  expires: 2018-07-03
                                card-no: 0006 05763522
ssb>  rsa4096/8E47A1EC35A1551D  created: 2016-02-15  expires: 2018-07-03
                                card-no: 0006 05763522
[lrvick@kephel ~]$ gpg --list-secret-keys lance@lrvick.net
sec#  rsa4096 2009-05-09 [SC] [expires: 2018-07-03]
      6B61ECD76088748C70590D55E90A401336C8AAA9
uid           [ultimate] Lance R. Vick (Personal) 
uid           [ultimate] [jpeg image of size 6119]
uid           [ultimate] Lance R. Vick (Work) 
ssb#  rsa2048 2015-03-19 [S] [expires: 2018-05-29]
ssb#  rsa2048 2015-03-19 [E] [expires: 2018-05-29]
ssb#  rsa2048 2015-03-19 [A] [expires: 2018-05-29]
ssb>  rsa4096 2009-05-09 [E] [expires: 2018-07-03]
ssb>  rsa4096 2015-02-01 [A] [expires: 2018-07-03]
ssb>  rsa4096 2016-02-15 [S] [expires: 2018-07-03]

[lrvick@kephel ~]$ gpg --list-keys john@doe.com
pub   rsa2048 2018-03-10 [SC] [expires: 2020-03-09]
      691D9AC876EAABBC0AFA5403DF5E676BBF2D7AE8
uid           [ultimate] John Doe 
sub   rsa2048 2018-03-10 [E] [expires: 2020-03-09]

[lrvick@kephel ~]$ gpg --sign-key 691D9AC876EAABBC0AFA5403DF5E676BBF2D7AE8

sec  rsa2048/DF5E676BBF2D7AE8
     created: 2018-03-10  expires: 2020-03-09  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/02E38722C42DA22F
     created: 2018-03-10  expires: 2020-03-09  usage: E   
[ultimate] (1). John Doe 


sec  rsa2048/DF5E676BBF2D7AE8
     created: 2018-03-10  expires: 2020-03-09  usage: SC  
     trust: ultimate      validity: ultimate
 Primary key fingerprint: 691D 9AC8 76EA ABBC 0AFA  5403 DF5E 676B BF2D 7AE8

     John Doe 

This key is due to expire on 2020-03-09.
Are you sure that you want to sign this key with your
key "Lance R. Vick (Personal) " (8E47A1EC35A1551D)

Really sign? (y/N) y

[lrvick@kephel ~]$ gpg --list-sigs 691D9AC876EAABBC0AFA5403DF5E676BBF2D7AE8
pub   rsa2048 2018-03-10 [SC] [expires: 2020-03-09]
      691D9AC876EAABBC0AFA5403DF5E676BBF2D7AE8
uid           [ultimate] John Doe 
sig 3        DF5E676BBF2D7AE8 2018-03-10  John Doe 
sig          8E47A1EC35A1551D 2018-03-10  Lance R. Vick (Personal) 
sub   rsa2048 2018-03-10 [E] [expires: 2020-03-09]
sig          DF5E676BBF2D7AE8 2018-03-10  John Doe 

============================ Additional Information ============================

From https://bugzilla.redhat.com/show_bug.cgi?id=1563930:

Normally master keys are more protected than signing or encryption subkeys.
Since master key can actually be used to prove someone's identity. Subkeys on
other hand can you used to sign/verify and encrypt/decrypt messages in place of
the master keys. However the procedure of signing someones keys requires the
master key. The flaw allows the signing subkey to sign someones keys, without
the use of the master key, when smartcards are used. This seems to be only a
minor security bypass, since technically subkeys also need to have some form of
security around them.

================================= Our Analysis =================================

----- Affected Products -----
It is not clear which versions of GNUPG are affected by this vulnerability.
Debian and RedHat claim that all versions of GNUPG 2 are affected, while Ubuntu
and SuSE claim that only versions 2.1.21 and later are affected. Due to the
lack of sufficient reproduction instructions, we are unable to determine if
Cucumber Linux is affected (as of Mon Apr  9 09:45:38 EDT 2018).

----- Scope and Impact of this Vulnerability -----
Can result in apparently valid key signature that was created with only a
signing subkey.

----- Fix for this Vulnerability -----
This vulnerability can be fixed in GNUPG 2.2.5 by applying the patch from commit
https://dev.gnupg.org/rGa17d2d1f690ebe5d005b4589a5fe378b6487c657 and
rebuilding.