CVE-2018-12356
published 2018-06-15CVE-2018-12356: An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG…
PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.65%
90.6th percentile
An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | password-store | < password-store 1.7.2-1 (bookworm) | password-store 1.7.2-1 (bookworm) |
| simple_password_store_project | simple_password_store | >= 1.7.0 < 1.7.2 | 1.7.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability lies in the signature verification routine of password-store.sh, which uses an incomplete regular expression to parse GnuPG output — monitor for GPG signature verification bypass attempts against pass configuration files or extension scripts. ↗
- →Detect unauthorized injection of additional GPG encryption keys into the pass configuration file, which would allow an attacker to receive copies of encrypted passwords. ↗
- →Monitor pass extension scripts for unauthorized modification, as exploitation can lead to arbitrary code execution via tampered extension scripts. ↗
- →Detailed technical write-up of the signature spoofing technique is available at the NeoPG blog — review for specific GnuPG output patterns that bypass the incomplete regex. ↗
- ·Only pass versions 1.7.x through 1.7.1 are affected; version 1.7.2 and later contain the fix. Ensure deployed instances are running 1.7.2 or higher. ↗
- ·The attack vector is remote (spoofed file signatures delivered to the client), despite Debian's tracker listing scope as local — treat as remotely exploitable in threat modelling. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j8m7-7fm4-j768: An issue was discovered in password-store
ghsa_unreviewed·2022-05-14
CVE-2018-12356 [CRITICAL] CWE-347 GHSA-j8m7-7fm4-j768: An issue was discovered in password-store
An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.
OSV
CVE-2018-12356: An issue was discovered in password-store
osv·2018-06-15·CVSS 9.8
CVE-2018-12356 [CRITICAL] CVE-2018-12356: An issue was discovered in password-store
An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.
Debian
CVE-2018-12356: password-store - An issue was discovered in password-store.sh in pass in Simple Password Store 1....
vendor_debian·2018·CVSS 9.8
CVE-2018-12356 [CRITICAL] CVE-2018-12356: password-store - An issue was discovered in password-store.sh in pass in Simple Password Store 1....
An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.
Scope: local
bookworm: resolved (fixed in 1.7.2-1)
bullseye: resolved (fixed in 1.7.2-1)
forky: resolved (fixed in 1.7.2-1)
sid: resolved (fixed in 1.7.2-1)
trixie: resolved (fixed in 1.7.2-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-12356 pass: Improper parsing of GPG output allows attackers to spoof file signatures, read passwords and execute code
bugzilla·2018-06-15·CVSS 9.8
CVE-2018-12356 [CRITICAL] CVE-2018-12356 pass: Improper parsing of GPG output allows attackers to spoof file signatures, read passwords and execute code
CVE-2018-12356 pass: Improper parsing of GPG output allows attackers to spoof file signatures, read passwords and execute code
An issue was discovered in password-store.sh in pass in Simple Password Store 1.7 through 1.7.1. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extensions scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.
External References:
https://neopg.io/blog/pass-signature-spoof/
https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.htm
Bugzilla
CVE-2018-12356 pass: Improper parsing of GPG output allows attackers to spoof file signatures, read passwords and execute code [fedora-all]
bugzilla·2018-06-15·CVSS 9.8
CVE-2018-12356 [CRITICAL] CVE-2018-12356 pass: Improper parsing of GPG output allows attackers to spoof file signatures, read passwords and execute code [fedora-all]
CVE-2018-12356 pass: Improper parsing of GPG output allows attackers to spoof file signatures, read passwords and execute code [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit
Bugzilla
CVE-2018-12356 pass: Improper parsing of GPG output allows attackers to spoof file signatures, read passwords and execute code [epel-all]
bugzilla·2018-06-15·CVSS 9.8
CVE-2018-12356 [CRITICAL] CVE-2018-12356 pass: Improper parsing of GPG output allows attackers to spoof file signatures, read passwords and execute code [epel-all]
CVE-2018-12356 pass: Improper parsing of GPG output allows attackers to spoof file signatures, read passwords and execute code [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit mess
http://openwall.com/lists/oss-security/2018/06/14/3http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlhttp://seclists.org/fulldisclosure/2019/Apr/38http://www.openwall.com/lists/oss-security/2019/04/30/4https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30dhttps://github.com/RUB-NDS/Johnny-You-Are-Firedhttps://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdfhttps://lists.zx2c4.com/pipermail/password-store/2018-June/003308.htmlhttp://openwall.com/lists/oss-security/2018/06/14/3http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlhttp://seclists.org/fulldisclosure/2019/Apr/38http://www.openwall.com/lists/oss-security/2019/04/30/4https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30dhttps://github.com/RUB-NDS/Johnny-You-Are-Firedhttps://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdfhttps://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html
2018-06-15
Published