While Libgcrypt library is an implementation of OpenPGP and employed for digital security in several Linux distributions such as Gentoo and Fedora, it is not as popular as LibreSSL or OpenSSL.
Google Project Zero researcher, Tavis Ormandy disclosed a vulnerability in GnuPG's Libgcrypt library that could have allowed attackers to write arbitrary code on target machines, and potentially lead to remote code execution. Albeit, GnuPG has already fixed the bug almost within a day after the disclosure, and thereby urges all users to update their software to the latest version.
How the Libgcrypt Library bug could lead to remote code execution
The vulnerability which is present only in version 1.9.0 of libgcrypt, is a heap buffer overflow bug that's possible as a result of incorrect assumption in the block buffer management code, and decrypting data can lead to overflow of a heap buffer with attacker controlled data, without verification or signature validation before the vulnerability occurs.
GnuPG claims that the bug may have been introduced in version 1.9.0 during its developmental phase two years ago, which as part of a change to "reduce overhead on generic hash write function" could have tricked the application into running an arbitrary fragment of the maliciously embedded code.
And all an attacker needs to trigger the flaw is to send a block of specially-crafted data for decryption to the Libgcrypt library, which tricks the application to run an arbitrary fragment of malicious code embedded in it, also known as shellcode and crash any program that relies on the libgcrypt library.
It therefore demands immediate action as the 1.9.0 tarballs on FTP server have been renamed so that scripts would not be able to get this version anymore. And users have been urged to stop using the vulnerable version, by getting the latest version of the software which can be downloaded here.
No comments