Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -----BEGIN PGP SIGNED MESSAGE-----
- Hash: SHA256
- APPLE-SA-2018-05-14-1 AppleSecurityDocs 1.11.1
- AppleSecurityDocs 1.11.1 should soon be available, addressesing the following:
- Key ID
- Available for: Everyone
- Impact: An adversary can impersonate Apple's PGP identity.
- Description: The Apple Security PGP guide refers to Apple's PGP key [via its 32-bit short ID](http://archive.is/RHmB3#selection-533.8-532.1), leading researchers to direct GPG to download every key with the same short ID. The docs should be addressed to replace instances of short IDs with the respective long IDs.
- CVE-2018-4206: an anonymous researcher in control of the following PGP key: 0x2FD4817BCA4A0C42
- Impact note:
- While the full key and its fingerprint are available, many researchers use `gpg --recv-keys <KEY ID>` to download keys. Since the key ID provided by Apple's docs is only 32 bits, many researchers will end up instructing gpg to download any key that simply has the same ending.
- As shown by evil32.com, while a short ID collision attack is very easy or an adversary to do, the impact can be devastating.
- Updated information should be posted to the Apple Security
- web site: https://support.apple.com/kb/HT201214
- This message is signed with Apple's Product Security PGP key,
- and details are available at:
- http://archive.today/2018.05.12-020427/https://support.apple.com/en-us/HT201214
- -----BEGIN PGP SIGNATURE-----
- iQIzBAEBCAAdFiEEQ28p0Vg4RzucWiK8IP9XSzRstEYFAlr2TsEACgkQIP9XSzRs
- tEalLQ/9HBLCxPie9wM1DzsUckGw39n+ecFK0gFeOxAYN4SPszN42Ts7ABhTsDqM
- eOdydeSaXUDV14ApdT7xjO1w1VYcTJznBvmheLuv+RMJzsTbG2cJll23/p66yHpF
- AmqA7jWcy03DriPJjBRIJBX3U4A3QPraxLD51boT7Ng4ho2jr+abtDjzm5L2rM7R
- pk41N6Y6em4PqbT2sh1YKa/Js4tnkuUtAFilivV/APaJ7SQAP4dCwjQFPaLZR6ZA
- WMrOyYHCNLJW4CD6mfAKlyTJvgD5K8dumFPgQUL/cXE/Jw7VZlUiU1Qai7rpuPRh
- ZJSWQrKqXJVPNPdAE4T/IkCSN1mLlk3ydu9DBn3L23Aeq57j7MIXvnO3i42X5QT8
- fCR9eCj/XyZ+ytiy9EiIO6cqQdMN8AQ1e84ak3WamIx2vELM8sAQrHNYxPmPGuyJ
- k/g7lUCY+1aqhLfwuWiyEB13gdl+5ziAlpQG+V3Thv1JgyG6kiAxSuwmWyEkH6GV
- GVX5OMd422jWrQ4JFVY43YaTiCsT8RmN5MCfTzRx2EJj8lMEswB8PUrdsefbkH8s
- ZedsbCVlM0TzOQhfYLBPi/lOMuz0bI8Imrrq8qgN/5OPCixnHB64ZtDgeebdKYU2
- s/oNM+MgQLVNBSVgUedfAs/hnvE/5qyklddSFB+y0f4nzV81xCA=
- =EaUn
- -----END PGP SIGNATURE-----
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement