Security Advisory for Libksba / GnuPG

Integer Overflow in LibKSBA / GnuPG

A severe bug has been found in Libksba , the library used by GnuPG for parsing the ASN.1 structures as used by S/MIME. The bug affects all versions of Libksba before 1.6.2 and may be used for remote code execution. Updating this library is thus important.

Who is affected

The major user of Libksba is gpgsm, the S/MIME cousin of gpg. There it is used to parse all kind of input data, in particular signed or encrypted data in files or in mails. Feeding a user with malicious data can thus be easily achieved.

A second user of Libksba is dirmngr, which is responsible for loading and parsing Certificate Revocation Lists (CRLs) and for verifying certificates used by TLS (i.e. https connections). Mounting an attack is a bit more complex but can anyway be easily done using a rogue web server to serve a Web Key Directory, certificates, or CRLs.

An exploit is not yet publicly known but very straightforward to create for experienced crooks.

Affected to our knowledge are:

  • Most software using Libksba versions up to 1.6.1
  • All Gpg4win versions from version 2.0.0 up to 4.0.3
  • All GnuPG VS-Desktop® versions from 3.1.16 up to 3.1.24
  • All GnuPG installers for Windows from version 2.3.0 up to 2.3.7
  • All GnuPG LTS installers for Windows from version 2.1.0 up to 2.2.39

How to fix

If you are on a Unix or Linux system you should get the latest version of Libksba (1.6.2 or newer), build the software and install the new shared library. Restart any background processes (e.g. gpgconf --kill all for GnuPG). In the rare case that Libksba is statically linked remember to rebuild those binaries.

If your are on Windows or if you use an AppImage of GnuPG VS-Desktop update to the latest version:

  • Gpgwin version 4.0.4 or newer
  • GnuPG VS-Desktop version 3.1.25 or newer (MSI or AppImage)
  • GnuPG installer for Windows version 2.3.8
  • GnuPG LTS installer for Windows version 2.2.40

In case you are not yet ready to deploy a new version, please extract libksba-8.dll from the respective package and replace the original one by this one. This is sufficient to fix the security issue.

How to check whether GnuPG has been fixed

GnuPG is the most prominent user of Libksba and it is not immediately visible whether a fixed version of Libksba is used. To check this run:

gpgconf --show-versions

and watch out for a line like

* KSBA 1.6.2 (xxxxx)

If you see a version number of 1.6.2 or newer, you got the fix.

CVE

GnuPG-bug-id
6230 (https://dev.gnupg.org/T6230)
CVE
CVE-2022-3515
CVSS
8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Other-IDs
ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18927

CVSS taken from the Trend Micro Zero Day Initiative report.

Technical background

The task of Libksba is to parse and build ASN.1 objects as used by S/MIME, X.509, and CMS. The used encoding (BER, DER) is based on tag-length-value objects. The function _ksba_ber_read_tl parses such data and returns the tag and associated information in this structure:

struct tag_info {
  enum tag_class class;
  int is_constructed;
  unsigned long tag;
  unsigned long length;  /* Length part of the TLV */
  int ndef;              /* It is an indefinite length */
  size_t nhdr;           /* Number of bytes in the TL */
  unsigned char buf[10]; /* Buffer for the TL */
  const char *err_string;
  int non_der;
};

At several places we need to copy the objects to a local buffer. For example we copy OIDs to a statically encoded buffer for further processing:

struct tag_info ti;
unsigned char tmpbuf[500]; /* for OID or algorithmIdentifier */
[...]
if (ti.nhdr + ti.length >= DIM(tmpbuf))
  return gpg_error (GPG_ERR_TOO_LARGE);
memcpy (tmpbuf, ti.buf, ti.nhdr);
err = read_buffer (crl->reader, tmpbuf+ti.nhdr, ti.length);

It is obvious that the sum of the header length (although less than 10 bytes) and the announced length of the value can easily wrap around and pass the check. The result is then an overflow of tmpbuf with all the usual consequences. The code has been there for ages and it seems that the audits missed this because, well, there is some overflow check and a too brief check may have only noticed that the memcpy if fine.

The fix for this is easy because we can check for an overflow right away in the parser. Thus _ksba_ber_read_tl finally does this extra check:

if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
  {
    ti->err_string = "header+length would overflow";
    return gpg_error (GPG_ERR_EOVERFLOW);
  }

Thanks

This vulnerability was discovered by:
Anonymous working with Trend Micro Zero Day Initiative

The report was received on 2022-10-04, fix pushed 2022-10-05, new source code release 2002-10-07, binary releases and announcement on 2022-10-17.