Vulnerability Details : CVE-2018-12356
An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.
Exploit prediction scoring system (EPSS) score for CVE-2018-12356
Probability of exploitation activity in the next 30 days: 12.36%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 95 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2018-12356
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-12356
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-12356
-
https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html
Security Vulnerability: Faulty GPG Signature CheckingMailing List;Third Party Advisory
-
https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d
password-store - Simple password manager using gpg and ordinary unix directories.Patch;Third Party Advisory
-
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
Johnny You Are Fired ≈ Packet StormThird Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2019/Apr/38
Full Disclosure: OpenPGP and S/MIME signature forgery attacks in multiple email clientsMailing List;Third Party Advisory
-
https://github.com/RUB-NDS/Johnny-You-Are-Fired
GitHub - RUB-NDS/Johnny-You-Are-Fired: Artifacts for the USENIX publication.
-
http://openwall.com/lists/oss-security/2018/06/14/3
oss-security - CVE-2018-12356 Breaking signature verification in pass (Simple Password Store)Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2019/04/30/4
oss-security - Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)Mailing List;Third Party Advisory
-
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
Johnny-You-Are-Fired/johnny-fired.pdf at master · RUB-NDS/Johnny-You-Are-Fired · GitHub
Products affected by CVE-2018-12356
- Simple Password Store Project » Simple Password StoreVersions from including (>=) 1.7.0 and before (<) 1.7.2cpe:2.3:a:simple_password_store_project:simple_password_store:*:*:*:*:*:*:*:*