RA-2021-05-30: Security vulnerabilities fixed in RNP 0.15.1

30 May 2021

(was: RI-2021-001)

Metadata

ID

RA-2021-05-30

This advisory notice covers the following:

CVE-2021-33589

Name

Key protection settings not copied after unprotect action

Link

CVE-2021-33589

Problem
  • CWE-522 Insufficiently Protected Credentials

  • CWE-922 Insecure Storage of Sensitive Information

Impact

CAPEC-37 Retrieve Embedded Sensitive Data

Affected vendors

Ribose

Affected products

RNP, versions prior to 0.15.1

Abstract

A key decrypted through rnp_key_unprotect will remain unprotected after after a subsequent call of rnp_key_protect.

Vulnerability details

This issue was discovered in Thunderbird versions 78.8.1 to 78.10.1, where it was found that a key decrypted through rnp_key_unprotect will remain unprotected after after a subsequent call of rnp_key_protect.

This issue was the cause of CVE-2021-29956 which is described in Bugzilla Bug 1710290.

In RNP versions prior to 0.15.1, calling rnp_key_protect on a key that was “unprotected” by rnp_key_unprotect will not result in a re-protected key, as:

  • rnp_key_unlock is designed to temporarily decrypt secret key data to make the secret key usable. This call does not overwrite key protection settings.

  • rnp_key_unprotect decrypts key data and overwrites key protection settings, and stores key data in unprotected form.

In the aforementioned scenario, due to the call sequence of calling rnp_key_unprotect and then rnp_key_protect, the key protection settings were not properly copied within RNP, leaving key material in the clear. This would not happen if the key underwent rnp_key_unlock, then rnp_key_protect instead.

Additional details

From RNP 0.15.1 and onwards rnp_key_protect implements re-protection for keys that have been “unprotected” by rnp_key_unprotect.

Upgrading to RNP 0.15.1 fixes this issue. If unprotected keys have been saved outside of RNP, a re-protection step needs to apply.

For Thunderbird users, auto-re-protection has been implemented in the latest release. Please refer to Bugzilla Bug 1710290 for more details.

Credits

  • Kai Engert (Mozilla) and Thunderbird users.