OpenPGP and S/MIME Mail Client Vulnerabilities

Published On: Jul 18, 2018 09:24

Advisory No: TZCERT/SA/2018/07/02

Source: CERT Coordination Center (Cert/CC), Electronic Frontier Foundation.

Software Affected:

Overview

Mail clients configured to use OpenPGP (Pretty Good Privacy) or S/MIME (Secure / Multipurpose Internet Mail Extensions) are vulnerable to the disclosure of encrypted message content.

Description

Advisory No: TZCERT/SA/2018/07/02 Date of First Release: 3rd July 2018 . Source: CERT Coordination Center (Cert/CC), Electronic Frontier Foundation. Product Affected: Mozilla Thunderbird, Microsoft, MailMate, Kmail, GnuPG, Apple, Airmail, eM Client, Evolution, Google, IBM Corporation, 9Folders Inc, Flipdog Solutions, Postbox Inc etc. Overview: Mail clients configured to use OpenPGP (Pretty Good Privacy) or S/MIME (Secure / Multipurpose Internet Mail Extensions) are vulnerable to the disclosure of encrypted message content. Description: Mail client configured to use OpenPGP uses the Cipher Feedback (CFB) mode of operation and those configured to use S/MIME uses the Cipher Block Chaining (CBC) mode of operation. These modes of operation are used by the protocols to secure the message transmitted. Vulnerability in these modes of operation provide an attackerwith capability to read plain text without decryption key. For an attack to happen, an attacker must have an access to an encrypted mail either by eavesdropping on network traffic or compromising email accounts, email servers, backup system or client computer. Impact: Exploitation of these vulnerabilities may allow disclosure of information. Solution: Currently there is no confirmed practical solution to the vulnerabilities, however there aresome recommendations to reduce the risks of exploiting the vulnerabilities as highlighted below;

  1. Remove your private key from mail client or decrypt your encrypted message by pasting it on a separate tool that will decrypt the content for you;
  2. Disable HTML rendering i.e. a most famous way of exploiting the vulnerabilities will be closed; and
  3.  Check with your vendor for update to fix the vulnerabilities.
References:
  1. https://www.kb.cert.org/vuls/id/122919
  2. https://efail.de/
  3. https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
  4. https://tools.ietf.org/pdf/rfc4880.pdf

Impact

Exploitation of these vulnerabilities may allow disclosure of information.

Solution

Currently there is no confirmed practical solution to the vulnerabilities, however there aresome recommendations to reduce the risks of exploiting the vulnerabilities as highlighted below; Remove your private key from mail client or decrypt your encrypted message by pasting it on a separate tool that will decrypt the content for you; Disable HTML rendering i.e. a most famous way of exploiting the vulnerabilities will be closed; and  Check with your vendor for update to fix the vulnerabilities.

References

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Report Incident