CVE-2002-0788 in Corporate Desktop
Summary
by MITRE
An interaction between PGP 7.0.3 with the "wipe deleted files" option, when used on Windows Encrypted File System (EFS), creates a cleartext temporary files that cannot be wiped or deleted due to strong permissions, which could allow certain local users or attackers with physical access to obtain cleartext information.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/13/2019
The vulnerability described in CVE-2002-0788 represents a critical security flaw in the interaction between PGP 7.0.3 encryption software and Windows Encrypted File System functionality. This issue specifically manifests when users enable the "wipe deleted files" feature within PGP 7.0.3 while operating on systems that utilize Windows EFS for file encryption. The flaw creates a dangerous situation where temporary cleartext copies of encrypted files are generated during the deletion process, yet these temporary files remain accessible to unauthorized parties due to restrictive permission settings that prevent proper cleanup.
The technical mechanism behind this vulnerability involves the way PGP handles file deletion operations when EFS is present on the system. During normal file deletion operations, PGP attempts to securely erase the file contents by creating temporary copies in cleartext format before destruction. However, when Windows EFS is active, the temporary files are created with permissions that prevent standard deletion or wiping procedures from completing successfully. This creates a scenario where sensitive cleartext data remains accessible on the filesystem in a location that should have been securely destroyed, effectively bypassing the intended security measures of both PGP's wiping functionality and Windows EFS protection mechanisms.
The operational impact of this vulnerability extends beyond simple data exposure, as it creates a persistent security risk that can be exploited by local users or attackers with physical access to the compromised system. The vulnerability falls under CWE-200, which addresses "Information Exposure," and specifically relates to information leakage through improper handling of temporary files and insufficient permission controls. Attackers can exploit this weakness by accessing the temporary cleartext files that remain on the system after attempted deletion, potentially recovering sensitive information that was intended to be permanently destroyed. This represents a significant compromise of data confidentiality, particularly in environments where EFS is used for protecting sensitive information.
From an adversarial perspective, this vulnerability aligns with ATT&CK technique T1070.004, which involves "File Deletion" and "Indicator Removal on Host," where attackers can leverage the system's inability to properly destroy files to recover sensitive data. The flaw creates a situation where the security controls designed to protect data are undermined by the interaction between different security mechanisms, allowing for unauthorized information recovery through the exploitation of permission and cleanup process failures. This vulnerability demonstrates the complexity of security interactions between different software components and highlights the importance of comprehensive security testing across integrated systems rather than individual components in isolation. Organizations utilizing both PGP encryption and Windows EFS should consider implementing additional monitoring and access controls to detect unauthorized access to temporary file locations, while also ensuring that PGP versions are updated to address this specific interaction flaw that compromises the intended security of both systems.