RNP All-Zero Session Key Vulnerability in Public-Key Encryption

A vulnerability in RNP version 0.18.0 allows for the decryption of data encrypted with public-key encryption. This issue arises because the session keys used for Public-Key Encrypted Session Key (PKESK) packets are not properly initialized, leaving them as all-zero byte arrays. As a result, any data encrypted with public-key encryption in this release can be trivially decrypted by using an all-zero session key, compromising confidentiality. This vulnerability does not affect passphrase-based encryption (SKESK packets).

Impact

Exploitation of this vulnerability allows for the decryption of PKESK-encrypted data, bypassing the need for the recipient's private key and compromising the confidentiality of the encrypted messages.

Reproduction

To reproduce this vulnerability, use RNP version 0.18.0 to encrypt data with PKESK (public-key encryption) and then attempt to decrypt it using an all-zero session key. The decryption will be successful, demonstrating that the vulnerability exists.

Remediation

Upgrade to RNP version 0.18.1, which fixes the vulnerability by properly initializing the session keys for PKESK packets.