Bug 1577906 (CVE-2017-17688) - CVE-2017-17688 OpenPGP: CFB gadget attacks allows to exfiltrate plaintext out of encrypted emails
Summary: CVE-2017-17688 OpenPGP: CFB gadget attacks allows to exfiltrate plaintext out...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-17688
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1577915 1577910 1577911 1577912 1577913 1577914 1577916 1577917 1577918
Blocks: 1577878
TreeView+ depends on / blocked
 
Reported: 2018-05-14 12:17 UTC by Adam Mariš
Modified: 2021-02-17 00:19 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:22:50 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2018-05-14 12:17:24 UTC 
Vulnerabilities in OpenPGP specification can be abused by so-called CFB gadget attacks to exfiltrate the plaintext from encrypted email. Attacker having access to encrypted emails of a victim can modify them to inject an image tag into them and create a single encrypted body part that exfiltrates its own plaintext when the victim opens the attacker email.

External References:

https://efail.de/
Comment 1 Adam Mariš 2018-05-14 12:23:41 UTC 
Created evolution tracking bugs for this issue:

Affects: fedora-all [bug 1577910]


Created kmail tracking bugs for this issue:

Affects: fedora-all [bug 1577911]


Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 1577914]


Created thunderbird-enigmail tracking bugs for this issue:

Affects: epel-7 [bug 1577917]
Affects: fedora-all [bug 1577912]


Created trojita tracking bugs for this issue:

Affects: epel-7 [bug 1577915]
Affects: fedora-all [bug 1577913]
Comment 3 Huzaifa S. Sidhpurwala 2018-08-23 06:48:30 UTC 
The research paper talks about use of HTML as a back channel to create an oracle for modified encrypted emails. HTML emails which use external links like "<img href="tla.org/TAG"/>" can cause security issues if they are honored by the MUAs. Due to flaws in MIME parsers many MUAs seem to concatenate decrypted HTML mine parts which makes it easy to plan such snippets in HTML emails. The easiest way to mitigate this vulnerability is not to use HTML emails. If you really need to use them ensure that MUA clients disable external links embedded in HTML emails. For example in thunderbird email client Edit->Preferences->Privacy->Disable "Allow remote content in messages". Please refer to https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html about how GnuPG can mitigate this flaw.
Comment 4 Huzaifa S. Sidhpurwala 2018-08-23 06:48:43 UTC 
Statement:

The research paper talks about use of HTML as a back channel to create an oracle for modified encrypted emails. HTML emails which use external links like "<img href="tla.org/TAG"/>" can cause security issues if they are honored by the MUAs. Due to flaws in MIME parsers many MUAs seem to concatenate decrypted HTML mine parts which makes it easy to plan such snippets in HTML emails. Please refer to https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html about how GnuPG can mitigate this flaw.
Comment 5 Huzaifa S. Sidhpurwala 2018-08-23 06:48:52 UTC 
Mitigation:

The easiest way to mitigate this vulnerability is not to use HTML emails. If you really need to use them ensure that MUA clients disable external links embedded in HTML emails. For example in thunderbird email client, Edit->Preferences->Privacy->Disable "Allow remote content in messages".
Comment 6 Doran Moppert 2018-08-24 02:20:04 UTC 
This and CVE-2017-17688 in Thunderbird 52.8 as part of CVE-2018-5162.
Comment 7 Huzaifa S. Sidhpurwala 2019-05-29 05:31:51 UTC 
Note:

Further investigation suggests that evolution-data-server package may not be affected by this flaw as per: https://bugzilla.redhat.com/show_bug.cgi?id=1577910#c3
Note You need to log in before you can comment on or make changes to this bug.