CVE-2002-1977 in PGP
Summary
by MITRE
Network Associates PGP 7.0.4 and 7.1 does not time out according to the value set in the "Passphrase Cache" option, which could allow attackers to open encrypted files without providing a passphrase.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/11/2018
This vulnerability exists in Network Associates PGP versions 7.0.4 and 7.1 where the passphrase cache mechanism fails to respect the configured timeout settings. The flaw allows unauthorized access to encrypted files by bypassing the normal passphrase requirement through the improper handling of cached credentials. When users configure a specific timeout value for the passphrase cache, the software ignores this setting and maintains cached passphrases indefinitely or for extended periods beyond the configured limits. This represents a critical security weakness in the authentication and access control mechanisms of the encryption software.
The technical implementation of this vulnerability stems from a failure in the passphrase cache management subsystem where the timeout logic is either completely disabled or not properly enforced. The software maintains cached passphrases in memory without properly validating whether the cache has expired according to user-defined settings. This behavior creates a persistent access vector that remains active long after the intended timeout period should have terminated the cached session. The flaw directly violates security principles related to credential handling and session management, as it allows prolonged unauthorized access to encrypted data without re-authentication.
The operational impact of this vulnerability extends beyond simple unauthorized access to potentially compromising entire encrypted data repositories. Attackers who gain access to a system running PGP 7.0.4 or 7.1 can exploit this weakness to decrypt files without requiring valid passphrases, effectively neutralizing the encryption protection. This vulnerability is particularly dangerous in multi-user environments or shared systems where cached passphrases might remain active for extended periods. The persistent nature of the cached credentials means that even if users lock their screens or log out, the encryption keys remain accessible, creating a significant risk for data confidentiality.
Organizations should immediately update to patched versions of PGP software to address this vulnerability, as the issue affects fundamental security controls. System administrators should conduct thorough inventory checks to identify all affected systems and implement additional monitoring for unauthorized access attempts. The vulnerability aligns with CWE-284 Access Control Issues, specifically related to improper privilege management and credential handling. From an attack perspective, this weakness maps to ATT&CK technique T1552 Unsecured Credentials, as it involves the exploitation of cached authentication tokens. Security teams should also consider implementing additional access controls and monitoring mechanisms to detect potential exploitation of this vulnerability, particularly in environments where sensitive data is stored in PGP-encrypted formats.