search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenPGP and S/MIME mail client vulnerabilities

Vulnerability Note VU#122919

Original Release Date: 2018-05-14 | Last Revised: 2018-05-15

Overview

Mail clients may leak plaintext messages while decrypting OpenPGP and S/MIME messages.

Description

Email clients supporting the OpenPGP or S/MIME standards may be vulnerable to a CBC/CFB gadget attack which may allow an attacker to inject content into an encrypted email which would establish an exfiltration channel when decrypted by the victim's email client. For example, injecting an HTML image tag which, when rendered by the email client, sends the plaintext as part of an HTTP request.

CVE-2017-17688: OpenPGP CFB Attacks
CVE-2017-17689: S/MIME CBC Attacks

Additionally some email clients, which do not isolate multiple MIME parts, allow attackers to wrap an encrypted message into plaintext MIME parts, which when decrypted and rendered by the email client results in an HTML based back-channel, eliminating the need to perform the gadget attacks.

Additional details can be found in the paper describing the attacks.

Impact

A remote attack could recover plaintext from encrypted emails without access to the encryption keys.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. However, there are some mitigations that may be taken:

Decrypt mail outside of mail client
Using a separate application outside of your mail client to decrypt incoming emails prevents exfiltration channels from being opened by the email client.

Disable HTML rendering
Preventing your email client from rendering HTML will prevent the predominant form of establishing exfiltration channels.

Disable Remote Content Loading
Preventing your email client from loading remote content without permission can also help against the predominate form of establishing exfiltration channels.

Vendor Information

122919
 
Affected   Unknown   Unaffected

9Folders, Inc.

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Airmail

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Evolution

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Flipdog Solutions, LLC

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GPGTools

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GnuPG

Updated:  May 15, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html

Google

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

KMail

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MailMate

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mozilla

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Postbox, Inc.

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

R2Mail2

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ritlabs, SRL

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Roundcube

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The Enigmail Project

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The Horde Project

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Trojita

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

eM Client

Updated:  May 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 21 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 0.0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0.0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Credit is attributed to Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian Schinzel1, Simon Friedberger, Juraj Somorovsky, and Jorg Schwenk

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2017-17688, CVE-2017-17689
Date Public: 2018-05-14
Date First Published: 2018-05-14
Date Last Updated: 2018-05-15 13:46 UTC
Document Revision: 21

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.