Description:
OpenPGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions) are both standards used to digitally sign, encrypt and decrypt emails. The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. When Email clients are configured to automatically decrypt the content of encrypted emails user receive and are also configured to load external resources automatically, attackers can abuse this behavior to steal messages in plaintext just by sending victim a modified version of the same encrypted email content.

CVE Numbers:
CVE-2017-17688: OpenPGP CFB Attacks
CVE-2017-17689: S/MIME CBC Attacks

Systems Affected:
Email clients supporting the OpenPGP or S/MIME standards are vulnerable to EFAIL attacks. Please refer to the paper (https://efail.de/efail-attack-paper.pdf) for further information.

Mitigations:
To prevent EFAIL attacks, users are advised to
‧ Decrypt S/MIME or PGP emails in a separate application outside of email client
‧ Disable HTML rendering
‧ Disable Remote Content Loading
‧ Apply patches from Email client vendors

Reference:
https://efail.de/
https://efail.de/efail-attack-paper.pdf
https://www.kb.cert.org/vuls/id/122919