Macau Computer Emergency Response Team EFAIL Attacks: Vulnerabilities in OpenPGP and S/MIME Leak the Plaintext of Encrypted Emails Skip to content

Home Special Announcement EFAIL Attacks: Vulnerabilities in OpenPGP and S/MIME Leak the Plaintext of Encrypted Emails
EFAIL Attacks: Vulnerabilities in OpenPGP and S/MIME Leak the Plaintext of Encrypted Emails
Wednesday, 16 May 2018 15:00

Description:
OpenPGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions) are both standards used to digitally sign, encrypt and decrypt emails. The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. When Email clients are configured to automatically decrypt the content of encrypted emails user receive and are also configured to load external resources automatically, attackers can abuse this behavior to steal messages in plaintext just by sending victim a modified version of the same encrypted email content.

CVE Numbers:
CVE-2017-17688: OpenPGP CFB Attacks
CVE-2017-17689: S/MIME CBC Attacks

Systems Affected:
Email clients supporting the OpenPGP or S/MIME standards are vulnerable to EFAIL attacks. Please refer to the paper (https://efail.de/efail-attack-paper.pdf) for further information.

Mitigations:
To prevent EFAIL attacks, users are advised to
‧ Decrypt S/MIME or PGP emails in a separate application outside of email client
‧ Disable HTML rendering
‧ Disable Remote Content Loading
‧ Apply patches from Email client vendors

Reference:
https://efail.de/
https://efail.de/efail-attack-paper.pdf
https://www.kb.cert.org/vuls/id/122919

 
[YOUR IP : 54.225.57.230: 40362] ...   [YOUR BROWSER: CCBot/2.0 (https://commoncrawl.org/faq/)] ...