Bug 1577906 (CVE-2017-17688)
Summary: | CVE-2017-17688 OpenPGP: CFB gadget attacks allows to exfiltrate plaintext out of encrypted emails | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alexl, cschalle, gecko-bugs-nobody, gecko-bugs-nobody, jgrulich, jhorak, john.j5live, kevin, lupinix.fedora, pjasicek, projects.rg, rdieter, rhughes, rstrode, sandmann, stransky |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:22:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1577915, 1577910, 1577911, 1577912, 1577913, 1577914, 1577916, 1577917, 1577918 | ||
Bug Blocks: | 1577878 |
Description
Adam Mariš
2018-05-14 12:17:24 UTC
Created evolution tracking bugs for this issue: Affects: fedora-all [bug 1577910] Created kmail tracking bugs for this issue: Affects: fedora-all [bug 1577911] Created thunderbird tracking bugs for this issue: Affects: fedora-all [bug 1577914] Created thunderbird-enigmail tracking bugs for this issue: Affects: epel-7 [bug 1577917] Affects: fedora-all [bug 1577912] Created trojita tracking bugs for this issue: Affects: epel-7 [bug 1577915] Affects: fedora-all [bug 1577913] The research paper talks about use of HTML as a back channel to create an oracle for modified encrypted emails. HTML emails which use external links like "<img href="tla.org/TAG"/>" can cause security issues if they are honored by the MUAs. Due to flaws in MIME parsers many MUAs seem to concatenate decrypted HTML mine parts which makes it easy to plan such snippets in HTML emails. The easiest way to mitigate this vulnerability is not to use HTML emails. If you really need to use them ensure that MUA clients disable external links embedded in HTML emails. For example in thunderbird email client Edit->Preferences->Privacy->Disable "Allow remote content in messages". Please refer to https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html about how GnuPG can mitigate this flaw. Statement: The research paper talks about use of HTML as a back channel to create an oracle for modified encrypted emails. HTML emails which use external links like "<img href="tla.org/TAG"/>" can cause security issues if they are honored by the MUAs. Due to flaws in MIME parsers many MUAs seem to concatenate decrypted HTML mine parts which makes it easy to plan such snippets in HTML emails. Please refer to https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html about how GnuPG can mitigate this flaw. Mitigation: The easiest way to mitigate this vulnerability is not to use HTML emails. If you really need to use them ensure that MUA clients disable external links embedded in HTML emails. For example in thunderbird email client, Edit->Preferences->Privacy->Disable "Allow remote content in messages". This and CVE-2017-17688 in Thunderbird 52.8 as part of CVE-2018-5162. Note: Further investigation suggests that evolution-data-server package may not be affected by this flaw as per: https://bugzilla.redhat.com/show_bug.cgi?id=1577910#c3 |