OpenPGP and S/MIME Mail Client Vulnerabilities

Advisory No: TZCERT/SA/2018/07/02

Date of First Release: 3^rd July 2018 .

Source: CERT Coordination Center (Cert/CC), Electronic Frontier Foundation.

Product Affected:

Mozilla Thunderbird, Microsoft, MailMate, Kmail, GnuPG, Apple, Airmail, eM Client, Evolution, Google, IBM Corporation, 9Folders Inc, Flipdog Solutions, Postbox Inc etc.

Overview:

Mail clients configured to use OpenPGP (Pretty Good Privacy) or S/MIME (Secure / Multipurpose Internet Mail Extensions) are vulnerable to the disclosure of encrypted message content.

Description:

Mail client configured to use OpenPGP uses the Cipher Feedback (CFB) mode of operation and those configured to use S/MIME uses the Cipher Block Chaining (CBC) mode of operation. These modes of operation are used by the protocols to secure the message transmitted. Vulnerability in these modes of operation provide an attacker  with capability to read plain text without decryption key.

For an attack to happen, an attacker must have an access to an encrypted mail either by eavesdropping on network traffic or compromising email accounts, email servers, backup system or client computer.

Impact:

Exploitation of these vulnerabilities may allow disclosure of information.

Solution:

Currently there is no confirmed practical solution to the vulnerabilities, however there are  some recommendations to reduce the risks of exploiting the vulnerabilities as highlighted below;

1. Remove your private key from mail client or decrypt your encrypted message by pasting it on a separate tool that will decrypt the content for you;
2. Disable HTML rendering i.e. a most famous way of exploiting the vulnerabilities will be closed; and
3.  Check with your vendor for update to fix the vulnerabilities.

References:

1. https://www.kb.cert.org/vuls/id/122919
2. https://efail.de/
3. https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
4. https://tools.ietf.org/pdf/rfc4880.pdf