Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code | Threatpost

The flaw in the free-source library could have been ported to multiple applications.

The Libgcrypt project has rushed out a fix for a critical bug in version 1.9.0 of the free-source cryptographic library. An exploit would allow an attacker to write arbitrary data to a target machine and execute code.

The security vulnerability is a heap-buffer overflow bug in Libgcrypt 1.9.0 (released on January 19 – previous versions are not affected), which researchers said can be exploited by merely decrypting a block of data. The issue is patched (CVE pending) in Libgcrypt version 1.9.1.

Libgcrypt is a general-purpose cryptographic library for developers to use when building applications, originally based on code from GNU Privacy Guard (GnuPG in turn is a free-software replacement for Symantec’s PGP cryptographic software suite). Libgcrypt is POSIX-compatible, meaning it can be used across Linus, Unix and macOSX applications, and can be enabled using a cross-compiler system for Microsoft Windows.



The bug is “simple to exploit,” according to Google Project Zero researcher Tavis Ormandy, who discovered and reported the issue.

“There is a heap-buffer overflow in Libgcrypt due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker-controlled data, no verification or signature is validated before the vulnerability occurs,” Ormandy explained in his report, published as part of Libgcrypt’s advisory on Friday.

Though the flawed version is no longer available for download, it’s unclear how many developers downloaded it for use in building their applications before it was taken down. Developers should replace the buggy library with the newest version, Libgcrypt authors noted.

Cryptographer Filippo Valsorda noted that Homebrew was affected by the flawed library. Homebrew is an open-source software package management system that simplifies the installation of software on Apple’s macOS operating system and Linux. Homebrew’s managers acknowledged the bug and fixed the issue.

He also tweeted that the fix is problematic on Intel CPU machines.


Third-Party, Open-Source Code: Supply-Chain Problems
Bugs in third-party libraries tend to linger in applications long after patches have been deployed. In fact, a full 70 percent of applications being used today have at least one security flaw stemming from the use of an open-source library, according to Veracode’s latest State of Software Security report.

“Most library-introduced flaws (nearly 75 percent) in applications can be addressed with only a minor version update; major library upgrades are not usually required,” according to the Veracode report. “This data point suggests that this problem is one of discovery and tracking, not huge refactoring of code.”

Cybercriminals also understand that code repositories and third-party libraries represent an attractive avenue for mounting a supply-chain-type attack by seeding them with malicious code. In a recent example from last month, three malicious software packages were published to npm, a code repository for JavaScript developers to share and reuse code blocks.

The packages could have been used as building blocks in various web applications; and any applications corrupted by the code can steal tokens and other information from Discord users, researchers said.

And in December, RubyGems, an open-source package repository and manager for the Ruby web programming language, had to take two of its software packages offline after they were found to be laced with malware.

The gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user’s clipboard with the attacker’s.

“We have repeatedly seen…open-source malware striking GitHub, npm and RubyGems, attackers can exploit trust within the open-source community to deliver pretty much anything malicious, from sophisticated spying trojans like njRAT, to…CursedGrabber,” Sonatype researcher Ax Sharma told Threatpost at the time.