CVE-2020-25125 – GnuPG 2.2.21-2.2.22 has a buffer overflow vulne... (How to Fix)

Q: What is the severity of CVE-2020-25125?

CVE-2020-25125 has a CVSS score of 7.8 (HIGH). GnuPG 2.2.21-2.2.22 has a buffer overflow vulnerability when processing OpenPGP keys with AEAD preferences. An attacker can cause a crash or potentially execute arbitrary code by tricking a victim into importing a malicious key. Users of GnuPG 2.2.x and Gpg4win 3.1.12 are affected.

📋 TL;DR

GnuPG 2.2.21-2.2.22 has a buffer overflow vulnerability when processing OpenPGP keys with AEAD preferences. An attacker can cause a crash or potentially execute arbitrary code by tricking a victim into importing a malicious key. Users of GnuPG 2.2.x and Gpg4win 3.1.12 are affected.

💻 Affected Systems

Products:

GnuPG
Gpg4win

Versions: GnuPG 2.2.21-2.2.22, Gpg4win 3.1.12

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects GnuPG 2.2.x branch; GnuPG 2.3.x is unaffected. Vulnerability triggers when importing OpenPGP keys with AEAD preferences.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the overflow can be controlled to execute arbitrary code.

🟠

Likely Case

Application crash (denial of service) when importing malicious keys, potentially corrupting keyrings.

🟢

If Mitigated

No impact if patched versions are used or if key import from untrusted sources is prevented.

🌐 Internet-Facing: MEDIUM - Requires user interaction (importing a key) but could be delivered via email or websites.

🏢 Internal Only: LOW - Requires targeted social engineering within the organization to deliver malicious keys.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the victim to import a specially crafted OpenPGP key. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GnuPG 2.2.23 or later, Gpg4win 3.1.13 or later

Vendor Advisory: https://dev.gnupg.org/T5050

Restart Required: No

Instructions:

1. Update GnuPG using your package manager: 'sudo apt update && sudo apt upgrade gnupg' (Debian/Ubuntu) or 'sudo yum update gnupg2' (RHEL/CentOS). 2. For Gpg4win, download and install the latest version from the official website. 3. Verify the update with 'gpg --version'.

🔧 Temporary Workarounds

Disable key import from untrusted sources

all

Prevent users from importing OpenPGP keys from unknown or untrusted sources through policy or training.

Use GnuPG 2.3.x branch

linux

Upgrade to GnuPG 2.3.x which is not affected by this vulnerability.

Follow distribution-specific instructions to install GnuPG 2.3.x

🧯 If You Can't Patch

Implement strict policies against importing OpenPGP keys from untrusted sources.
Monitor for crash logs in gpg processes and investigate any related to key import operations.

🔍 How to Verify

Check if Vulnerable:

Run 'gpg --version' and check if the version is 2.2.21 or 2.2.22. For Gpg4win, check the installed version in the About dialog.

Check Version:

gpg --version | head -1

Verify Fix Applied:

After updating, run 'gpg --version' to confirm version is 2.2.23 or higher, or 2.3.x.

📡 Detection & Monitoring

Log Indicators:

Application crashes (segmentation faults) in gpg processes during key import operations
Error messages related to key parsing or AEAD preferences in system logs

Network Indicators:

Unusual key import activities from external sources
Network traffic containing OpenPGP key material to internal systems

SIEM Query:

Process:gpg AND (EventID:1000 OR Signal:SIGSEGV) OR LogMessage:"key-check.c"

📊 Metadata

CVE ID: CVE-2020-25125

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: September 3, 2020

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2020/09/03/4 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/09/03/5 Mailing List,Third Party Advisory
https://bugzilla.opensuse.org/show_bug.cgi?id=1176034 Exploit,Issue Tracking,Third Party Advisory
https://dev.gnupg.org/T5050 Mailing List
https://dev.gnupg.org/rG8ec9573e57866dda5efb4677d4454161517484bc Patch,Vendor Advisory
https://lists.gnupg.org/pipermail/gnupg-announce/2020q3/000448.html Vendor Advisory
http://www.openwall.com/lists/oss-security/2020/09/03/4 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/09/03/5 Mailing List,Third Party Advisory
https://bugzilla.opensuse.org/show_bug.cgi?id=1176034 Exploit,Issue Tracking,Third Party Advisory
https://dev.gnupg.org/T5050 Mailing List
https://dev.gnupg.org/rG8ec9573e57866dda5efb4677d4454161517484bc Patch,Vendor Advisory
https://lists.gnupg.org/pipermail/gnupg-announce/2020q3/000448.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25125, you might also want to check these: