CVE-2022-2226 An OpenPGP digital signature includes the date when the signature was created. When displaying an email with a digital signature, the email's date will be shown.

If an attacker is able to alter an email after it was signed, it could be used to change the date or invalidate the signature, making the email appear to be older or newer than it actually is. This can lead to confusion among recipients, who could think that the email is dated earlier or later than it actually is. It could also lead to emails being marked as spam, leading to reduced reputation on mailing lists and other services. The OpenPGP standard has no way to indicate that the email was altered after it was signed. It can't be detected with OpenPGP software that only checks the signature's validity. An attacker can alter an email after it was signed in such a way that the email will appear to have been signed at the attacker's desired time.

CVE-2023-2227

If an attacker is able to add a minor alteration to the email, such as changing the date by one day, making it appear to be older or newer than it actually is. This can lead to confusion among recipients, who could think that the email is dated earlier or later than it actually is. It could also lead to emails being marked as spam, leading to reduced reputation on mailing lists and other services. The OpenPGP standard has no way to indicate that the email was altered after it was signed. It can't be detected with OpenPGP software that only checks the signature's validity. An attacker can alter an email after it was signed in such a way that the email will appear to have been signed at the attacker's desired time.

CVE-2022-2227

This vulnerability is similar to CVE-2022-2226, but in this attack, the attacker does not alter the email at all. Instead, they use a real "signed" email that has been sent before and has a valid signature. The attacker then sends their own altered version of the signed email with a much later date. This will make it appear that their new email was sent at a much later date than the original one:

Subject: Hi there!
I'm writing you because I have some interesting news! Please read on.
The date of this email:
Date:
To whom it may concern:
I'm writing you because I have some interesting news! Please read on.
The date of this email:
Date:
To whom it may concern:
I'm writing you because I have some interesting news! Please read on.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/05/2023 13:52:00 UTC

References

• https://www.mozilla.org/security/advisories/mfsa2022-26/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1775441
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2226