GnuPG Vulnerability: Allowing Signature Forgery

Buzz

Ngày cập nhật gần nhất: 15/4/2026

A security researcher has recently uncovered a critical security vulnerability in a widely-used email encryption client adhering to the OpenPGP standard, built on GnuPG for encrypting and signing emails, whereby the GnuPG vulnerability in the encryption tool enables signature forgery attacks.

The vulnerability was disclosed nearly a month after researchers revealed a series of vulnerabilities known as eFail in PGP and S/Mime encryption tools, which could expose encrypted emails as plaintext, affecting email programs including Thunderbird, Apple Mail, and Outlook.

Software developer Marcus Brinkmann discovered an input control vulnerability named SigSpoof, allowing attackers to spoof digital signatures with the public key or user ID without requiring any associated private or public keys.

Security vulnerability CVE-2018-12020 affects popular email applications such as GnuPG, Enigmail, GPGTools, and python-gnupg, now patched in the latest software update.

GnuPG vulnerability in encryption tool allows signature forgery attacks

According to researchers, the OpenPGP protocol allows adding filename parameters of the original input file to signed or encrypted emails, combined with GnuPG status messages (including signature information) in a single data stream by adding predetermined keywords to separate them.

According to GnuPG maintainer Werner Koch, status messages are parsed by programs to extract valid signature information and other parameters from gpg'.

During email decryption at the recipient's end, the client application segregates information using that keyword and displays the email with a valid signature, if the user opts to activate the gpg.conf file.

Researchers also discovered that filenames could contain up to 255 characters improperly controlled, potentially allowing attackers to inject additional data sources or other control characters.

Security researcher Brinkmann illustrates how these vulnerabilities are utilized to inject fake GnuPG status messages into the application's parser to spoof signature verification and message decryption outcomes.

Researchers also believe that this vulnerability has the potential to impact a significant portion of core infrastructure, extending beyond encrypted emails as GnuPG is not only used to secure emails but also for securing backups, software updates in distributions, and source code in version control systems like Git.

Brinkmann also provides 3 proofs-of-concept demonstrating how to spoof signatures in Enigmail and GPGTools, how to spoof signatures and encrypt in Enigmail, as well as how to spoof signatures in the command line.

Users are advised to upgrade to the latest versions to avoid falling victim to the vulnerability:

- Upgrade to GnuPG 2.2.8 or GnuPG 1.4.23: DownloadGnuPG
- Upgrade to Enigmail 2.0.7: Download Enigmail
- Upgrade to GPGTools 2018.3: Download GPG Tools

Developers are advised to add --no-verbose' to all GPG requests and upgrade to python-gnupg 0.4.3.

Applications utilizing GPGME encryption tool will be more secure. Additionally, it's advisable not to activate the --status-fd and -verbose flags for ensuring safety.

AMD is making a strong comeback with its Ryzen processors. Following the success of the first-generation Ryzen, AMD is gradually rolling out its second-generation Ryzen processors. Recently, benchmark leaks of AMD Ryzen 5 2500X and Ryzen 3 2300X processors have surfaced on the web, boasting impressive specs that could rival Intel's 8th generation processors.

Mytour's content is for customer care and travel encouragement only, and we are not responsible.

For errors or inappropriate content, please contact us at: [email protected]