A weakness in the OpenPGP and S/MIME standard has been disclosed to multiple vendors. The researchers have published a paper describing a proof of concept exploit that will allow an attacker to de-crypt previously acquired user messages. CVE-2018-17688 and CVE-2018-17689 have been assigned to track these vulnerabilities. OpenPGP is an internet standards document that describes the operation of PGP, GNU Privacy Guard is an open source implementation of this standard . Similar to OpenPGP, S/MIME also provides end to end encryption for email.
The attacker needs access to encrypted message meant for the target user. The attacker modifies the cipher text to conceal an ex-filtration channel. Email receives this message and de-crypts it and the plain text is ex-filtrated to the attacker.
Direct Ex-filtration
It exploits the way email clients handle HTML content. The attacker crafts a message with <img> html tag with custom URL for the src property. The URL contains the cipher text. The src property does not contain the end quote. The email client de-crypts the cipher text in the URL and attempts to load the image for <img> tag. In this way the plain text is ex-filtrated to the attacker via an HTTP request containing the plain text.
Malleability gadget Ex-filtration channels
OpenPGP does not enforce integrity checks to the fullest extent and does not describe mechanism to handle messages where integrity check fails. Attackers can exploit this loophole via CBC/CFB gadget attacks. Similar to direct ex-filtration, attackers can change captured messages and use them to ex-filtrate plain text by abusing the email client’s HTML parser.
Both CBC and CFB provide malleability, meaning we can reorder, remove or insert cipher text blocks without the encryption key. Since the standard does provide adequate details on integrity check fails. An attacker can exploit this by crafting malleability gadgets and inserting these gadgets in the plaintext. This attack is possible if the attacker knows a single complete plaintext block from the cipher text. Upon receiving this message, the email client will ex-filtrate the plain text to the attacker via HTTP traffic.
Mitigation
EFF recommends users to uninstall or disable your PGP and use alternative end to end secure communication channels. Qualys will actively add detections as soon as respective mail client vendors release their patches addressing Efail.
Please continue to follow Qualys Threat Protection for more information on vulnerabilities.
References
CVE-2017-17689
CVE-2017-17689
EFAIL
Affected clients
Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw