-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2014-009 Product: Symantec Encryption Management Server Vendor: Symantec Affected Version(s): 3.3.2 MP6 and prior Vulnerability Type: E-Mail Header Injection Risk Level: Low Solution Status: Patch available Vendor Notification: September 9, 2014 Solution Date: January 29, 2015 Public Disclosure: January 29, 2015 CVE Reference: CVE-2014-7287 Author of Advisory: Klaus Eisentraut, SySS GmbH - --------------------------------------------------------------------------------- Overview: Uploading a crafted PGP key can be used to perform an e-mail header injection in the confirmation mail. - --------------------------------------------------------------------------------- Vulnerability Details: According to RFC 4880, section 5.11 [1], the UID value of a PGP key can contain arbitrary UTF-8 data. Thus it is possible to create PGP keys with linebreaks in the name field. When such a key is uploaded to the integrated keyserver of Symantecs "Encryption Management Server" in version 3.3.2 MP6 and prior, an e-mail header injection vulnerability can be exploited. - - -------------------------------------------------------------------------------- Proof of Concept (PoC): A patched version of GnuPG was compiled to be able to generate PGP keys with linebreaks. An example key which was generated contained the following values (without the | delimiters): UID: |invalid@example.com\r\nSubject: You have been hacked\r\nCc: | e-mail: |syss@XXXXXXX.com| Uploading this key to the integrated key server caused the following (anonymized) confirmation mail to be sent: [... snip ...] To: "invalid@example.com"@XXXXXXXX.de Subject: You have been hacked Cc: " "@XXXXXXXX.de Subject: [Verified Directory] Verify Your Key Mime-Version: 1.0 [... snip ...] As can be seen above, some filtering seems to be applied, but we were able to overwrite the subject with arbitrary text. It might be possible to add other recipients, change the content of the e-mail or change other headers. This has not been analyzed any further by the SySS GmbH. - --------------------------------------------------------------------------------- Solution: Upgrade to Symantec Encryption Management Server 3.3.2 MP7, which does proper input validation. For further details, see Symantec's advisory [2]. - --------------------------------------------------------------------------------- Disclosure Timeline: September 5, 2014 - Vulnerability discovered September 9, 2014 - Vulnerability reported to secure@symantec.de January 29, 2015 - Patch available and public disclosure - --------------------------------------------------------------------------------- References: [1] http://tools.ietf.org/html/rfc4880#section-5.11 - RFC 4880, section 5.11 [2] http://www.symantec.com/security_response/securityupdates/detail.jsp? fid=security_advisory&pvid=security_advisory&year=&suid=20150129_00 [3] https://www.syss.de/aktuelles/responsible_disclosure_policy/ - SySS Responsible Disclosure Policy - --------------------------------------------------------------------------------- Credits: Security vulnerability found by Klaus Eisentraut of the SySS GmbH. E-Mail: klaus.eisentraut (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Klaus_Eisentraut.asc Key ID: 0xBAC677AE Key Fingerprint: F5E8 E8E1 A414 4886 0A8B 0411 DAB0 4DB5 BAC6 77AE - --------------------------------------------------------------------------------- Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site [3]. - --------------------------------------------------------------------------------- Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJU0zUcAAoJENqwTbW6xneuwWIP/3SGvRW2K5G4Hms98ADafTY3 N0rDZtyzZCcSgQmKzQp1IP4OXKpq9nuTFaZGar9VYfcUHqFHibGj6dFokLulwHF5 6Xm5aYKDbfeXoRIPNj66If2wuV5sucP4BoHXbvr0BMyscPaOCENRSz4ZYOZf8TBm p8hKOLXhPqo+teGEYhVydsiGT1kDg2bFXU6Ua88ga2cuA+Z2d1BBMhTf3na1kyPs s27H7SnxxgIcl6Rw8lAXc8x9XA3FnHLDyp+WmQr0Cki9yhChj44alYotivWRObMa Cismg4XbzQDc1mSyafXkvWWvaF2+nDbuSjRlBX74TqHjMY8T001yv+OZZXDE6N+b GZu6iYnF9mFC5kJvN0CmJCP3eO1Fv7RSIiyWB6cpjzn91RLWjHcCrIKTVzVUqlJM U9U0Ot0D4tzmvXfd78pU9rnIl7RLTtwofyYX6THpF3jW0VodMgUKUZ73Ndz/+5hw XQAvmoLPu1kAyUeiBZiRZ7pKMJKjEHOOIv7fKVU11RPM+sWnu8d52QAtaVJWt3YG QycE239ChdQJ5UFip/xxkHlQBtC/KBkqb/tHnT0o5h9PbjjwMOjYGD755DXtBRyP O9+wDs5gzFAa+bBwuNqQuMhK7ue9kFFEB9PutltBpt0EMljAVBPoT7c3yLy+O/Qb WPGaELAQ7Xs/kZokdVnm =QXgG -----END PGP SIGNATURE-----