{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pgp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["avideo","pgp","2fa","bypass","cve-2026-33488","credential-access"],"_cs_type":"advisory","_cs_vendors":["WWBN"],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, contains a critical vulnerability (CVE-2026-33488) in versions up to and including 26.0. The vulnerability lies in the LoginControl plugin's PGP 2FA system, where the \u003ccode\u003ecreateKeys()\u003c/code\u003e function generates weak 512-bit RSA keys. These keys have been publicly factorable since 1999, making them susceptible to relatively quick compromise using commodity hardware. An attacker who retrieves a target user's public key can factor the 512-bit RSA modulus within hours, derive the complete private key, and decrypt any PGP 2FA challenge issued by the system, effectively bypassing the two-factor authentication. Furthermore, the \u003ccode\u003egenerateKeys.json.php\u003c/code\u003e and \u003ccode\u003eencryptMessage.json.php\u003c/code\u003e endpoints lack authentication checks, allowing anonymous users to trigger CPU-intensive key generation, potentially leading to denial-of-service conditions. A patch is available in commit 00d979d87f8182095c8150609153a43f834e351e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target user on an AVideo platform running a vulnerable version (\u0026lt;= 26.0).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the target user's public key, likely exposed through the AVideo application or via direct request to the \u003ccode\u003egenerateKeys.json.php\u003c/code\u003e endpoint, which lacks authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes readily available tools and commodity hardware to factor the 512-bit RSA modulus of the obtained public key.\u003c/li\u003e\n\u003cli\u003eThe factoring process yields the target user's private key in a matter of hours.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts a PGP 2FA challenge intended for the target user. This might be achieved through network sniffing or by compromising the user's email account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the derived private key to decrypt the intercepted PGP 2FA challenge.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the decrypted challenge response to the AVideo platform.\u003c/li\u003e\n\u003cli\u003eThe AVideo platform incorrectly validates the response, granting the attacker unauthorized access to the target user's account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33488 allows attackers to completely bypass the PGP 2FA mechanism in WWBN AVideo platforms. This leads to unauthorized access to user accounts, potentially enabling attackers to steal sensitive video content, manipulate platform settings, or compromise user data. The lack of authentication on key generation endpoints can also lead to resource exhaustion and denial of service, disrupting the platform's availability. The impact is significant due to the complete circumvention of a critical security control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 00d979d87f8182095c8150609153a43f834e351e to remediate CVE-2026-33488.\u003c/li\u003e\n\u003cli\u003eImplement authentication checks for the \u003ccode\u003egenerateKeys.json.php\u003c/code\u003e and \u003ccode\u003eencryptMessage.json.php\u003c/code\u003e endpoints to prevent unauthorized key generation and potential denial-of-service attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect AVideo Key Generation Endpoint Access\u0026quot; to monitor for unauthorized access to the vulnerable \u003ccode\u003egenerateKeys.json.php\u003c/code\u003e and \u003ccode\u003eencryptMessage.json.php\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual activity related to the \u003ccode\u003e/plugins/loginControl/\u003c/code\u003e path.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-23-avideo-pgp-bypass/","summary":"WWBN AVideo platform versions up to 26.0 generate weak 512-bit RSA keys for PGP 2FA, which can be easily factored to derive the private key and bypass the second authentication factor. Additionally, key generation endpoints lack authentication checks, exposing the system to resource exhaustion attacks.","title":"WWBN AVideo PGP 2FA Bypass via Weak Key Generation","url":"https://feed.craftedsignal.io/briefs/2024-01-23-avideo-pgp-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Pgp","version":"https://jsonfeed.org/version/1.1"}