The OpenPGP specification contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker sends a specially crafted message to a user of the vulnerable product, entices the user to decrypt the message and then reveal the results of the decryption, this may enable the attacker disclose a portion of the original encrypted communication resulting in a loss of confidentiality.
Classification
Location:
Remote/Network Access Required
Attack Type:
Cryptographic
Impact:
Loss of Confidentiality
Exploit:
Exploit Rumored / Private
Disclosure:
OSVDB Verified
Technical
The attack does require some interaction from the user - however it should still be considered plausible against non-technical end users.
Solution
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
Utilizing the OpenPGP compression feature during encryption will prevent the modified message from being uncompressed correctly. Rendering the attack useless.
