lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20140312212057.41f847d9@hboeck.de>
Date: Wed, 12 Mar 2014 21:20:57 +0100
From: Hanno Böck <hanno@...eck.de>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: PowerArchiver: Uses insecure legacy PKZIP
 encryption when AES is selected (CVE-2014-2319)

PowerArchiver: Uses insecure legacy PKZIP encryption when AES is
selected (CVE-2014-2319)

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2319
http://int21.de/cve/CVE-2014-2319-powerarchiver.html
http://www.powerarchiver.com/2014/03/12/powerarchiver-2013-14-02-05-released/

Background

ftp://utopia.hacktic.nl/pub/crypto/cracking/pkzip.ps.gz

Description

The compression tool PowerArchiver version 14.02.03 creates files with
an insecure encryption method even if the user selects a (secure) AES
encryption in the GUI.

If a user clicks on the "Encrypt Files" and selects "AES 256-bit" for
encryption, the outcoming file will not be AES-encrypted. It will
instead use the legacy PKZIP encryption, which uses a broken
encryption algorithm.

Note that there are different ways in PowerArchiver to create an
encrypted ZIP file, the issue only appears when using the "Encrypt
Files"-Button.

The PKZIP encryption has been broken by Biham/Kocher in 1994.

The vendor ConeXware has released version 14.02.05 which fixes the
issue. It also disables completely support for creating archives with
the broken legacy ZIP encryption.

Disclosure Timeline

2014-03-10: Issue found, vendor contacted
2014-03-10: Vendor replies, confirms issue
2014-03-12: Vendor publishes fixed version


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ