OpenPGP library RNP updates after Thunderbird decrypt-no-recrypt bug squashed
Not the obvious function, the other obvious function
OpenPGP project RNP has patched its flagship product after Mozilla Thunderbird, a major user, was found to be saving users’ private keys in plain text.
The newest version of RNP, 0.15.1, saw a fix for the vulnerability which led to a Thunderbird patch last week after confused users wondered why the email client’s master password wasn’t protecting their private keys.
Still tracked as CVE-2021-29956, the number allocated to the Thunderbird vuln, the RNP bug has now been squashed. In the previous version, calling RNP’s rnp_key_unprotect function followed by rnp_key_protect did not lead to private PGP keys being re-encrypted to protect them from being read.
“rnp_key_unprotect decrypts key data and overwrites key protection settings, and stores key data in unprotected form” explained RNP in an advisory about the vuln. “Key protection settings were not properly copied within RNP, leaving key material in the clear.”
When Thunderbird’s previous OpenPGP key management flow called rnp_key_unprotect as part of the mail client’s process for decrypting PGP-protected emails, the result was that the keys themselves were decrypted and left in plain text on the host device’s hard drive.
Although another function exists in RNP to achieve the desired effect of temporarily decrypting the keys (rnp_key_unlock), it appeared nobody in either RNP or Mozilla had realised how different the two similar-sounding functions were.
- Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu
- Severe bug in Libgcrypt – used by GPG and others – is a whole heap of trouble, prompts patch scramble
- Thunderbird implements PGP crypto feature requested 21 years ago
- The state of OpenPGP key servers: Kristian, can you renew my certificate? A month later: Kristian? Ten days later: Too late, it’s expired
“Upgrading to RNP 0.15.1 fixes this issue. If unprotected keys have been saved outside of RNP, a re-protection step needs to apply,” said RNP, noting that the latest version of Thunderbird implements auto-re-protection so your private keys aren’t left unencrypted for any passing baddie to sniff out.
While the vuln itself was low impact, as recognised by its CVSS score of 3.2, an authenticated attacker could have accessed the keys with few obstacles – and obtaining authenticated access to a target machine tends to assume the breaching of multiple defences in most enterprises' threat models.
Problems with PGP key handling are not unique to Thunderbird, though as one of the most widely used open source mail clients it inevitably gets lots of attention. Last year a group of academics in Germany discovered that private keys could be exfiltrated from target mail clients through a crafted mailto: link that uploaded the target's private keys directly to an outgoing message. ®