SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Security)  >   OpenPGP Vendors:   OpenPGP.org
OpenPGP CFB Mode Authentication Flaw Lets Remote Users Decrypt and Obtain Potentially Sensitive Information from the Target User's Email Client
SecurityTracker Alert ID:  1040904
SecurityTracker URL:  http://securitytracker.com/id/1040904
CVE Reference:   CVE-2017-17688   (Links to External Site)
Date:  May 14 2018
Impact:   Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in OpenPGP. A remote user can decrypt and obtain potentially sensitive information on the target system.

A remote user with access to a target user's PGP encrypted email message can exploit a property of Cipher Feedback Mode (CFB) by modifying known plaintext blocks (such as MIME headers). When the target user decrypts and views the modified email message, the target user's mail client will parse the resulting modified HTML content and disclose the original plaintext to a remote URL.

This exploit is the "CFB gadget" attack method of the vulnerability referred to as "EFAIL".

Various email clients or email client plugins that use OpenPGP or implement the PGP standard are affected.

The original advisory is available at:

https://efail.de/efail-attack-paper.pdf

Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jorg Schwenk reported this vulnerability.

Impact:   A remote user with access to a target user's encrypted email message can obtain decrypted plaintext from the target user's mail client.
Solution:   No solution was available at the time of this entry.

[Editor's note: The Electronic Frontier Foundation has recommended that users of PGP-based email clients disable and/or uninstall tools that automatically decrypt PGP-encrypted email. See URL: https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0]

Vendor URL:  www.openpgp.org/ (Links to External Site)
Cause:   Access control error, Authentication error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC