VDB
CVE-2018-12356
CVE-2018-12356
PUBLISHED
An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.
EPSS 2.61% · 86.0th percentile
Risk Scores
EPSS Score
2.61%
86.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | password-store | 0, 1.7.1-3 |
Exploit Intelligence
- https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d (circl)
- http://openwall.com/lists/oss-security/2018/06/14/3 (circl)
- https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html (circl)
- [oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients) (circl)
- http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html (circl)
- https://github.com/RUB-NDS/Johnny-You-Are-Fired (circl)
- https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf (circl)
- 20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients (cve.org)
- cve_test.go (github-poc)
- cve_test.go (github-poc)
…and 8 more exploits
Timeline
- Jun 15, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- May 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-12356 third-party-advisory
- https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html third-party-advisory
- https://neopg.io/blog/pass-signature-spoof/ third-party-advisory
- http://www.openwall.com/lists/oss-security/2018/06/14/3 third-party-advisory
- http://openwall.com/lists/oss-security/2018/06/14/3 third-party-advisory
- https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-12356 third-party-advisory