Vulnerability Description
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Crypto | 2019-03-25 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-ExploitThird Party AdvisoryVDB Entry
- https://go.googlesource.com/crypto/ProductThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/09/msg00011.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/10/msg00014.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
- https://sec-consult.com/Third Party Advisory
- https://sec-consult.com/en/blog/advisories/cleartext-message-spoofing-in-go-crypExploitThird Party Advisory
- http://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-ExploitThird Party AdvisoryVDB Entry
- https://go.googlesource.com/crypto/ProductThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/09/msg00011.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/10/msg00014.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
- https://sec-consult.com/Third Party Advisory
- https://sec-consult.com/en/blog/advisories/cleartext-message-spoofing-in-go-crypExploitThird Party Advisory
FAQ
What is CVE-2019-11841?
CVE-2019-11841 is a vulnerability with a CVSS score of 5.9 (MEDIUM). A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880...
How severe is CVE-2019-11841?
CVE-2019-11841 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11841?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Crypto, Debian Debian Linux.