The EFAIL OpenPGP & S/MIME vulnerabilities
Those who follow the security news could hardly have missed the release of the ‘EFAIL’ vulnerabilities this week. In brief, issues have been found with OpenPGP and S/MIME email encryption which can potentially expose the decrypted text of a message to attackers.
What are PGP and S/MIME?
The authors of the EFAIL paper cover this well, but ultimately email is a plaintext communication medium – much like the majority of pen and paper letters outside of spy films – and PGP and S/MIME are methods of encrypting the content of these messages.
It should be noted at this point that PGP and S/MIME serve a different purpose to TLS. The latter is a method of securing data in transit: when the email arrives on the recipient’s machine it is no longer encrypted. PGP and S/MIME, on the other hand, secure the data at rest (and, as a by-product, provide an additional layer of security in transit). This is particularly desirable for anyone who is concerned about the security of their communications should, for example, their laptop be stolen – S/MIME is often used in enterprises for this very reason.
The EFAIL vulnerabilities
The full details of EFAIL are naturally provided by the authors, but the two variants both look at ‘tricking’ an email client into revealing the decrypted text of a message.
Separate CVE numbers have been assigned for the gadget attacks against OpenPGP (CVE-2017-17688) and S/MIME (CVE-2017-17689).
Direct exfiltration
The first vulnerability involves wrapping the encrypted text in a malformed HTML image tag. After the email client has decrypted the email, the blob of decrypted content sits inside the source URL section of the tag, resulting in the client making a request to a domain containing the entire decrypted text – assuming the attacker controls the server receiving the request, they now have the full message (or at least the important bit) in plain text.
While this variant affects the popular Apple Mail and Mozilla Thunderbird clients, the good news is that it is theoretically fixable by patching the email clients.
CBC/CFB gadget attack
The second variant is rather more technical and effectively relies on the combination of the known format of S/MIME emails in particular with block cipher techniques although again, at the end of the day, the goal again is to insert a malformed tag to trick the client into making an HTTP request containing the plain text of the message.
This variant is reportedly more effective against S/MIME than PGP encryption, but unfortunately should work against any standard-compliant email client.
Protection & mitigation
It is worth noting that in both cases someone needs to intercept your email to carry out the attack. This significantly reduces the likelihood of EFAIL becoming widespread, although for ‘high value’ targets such as politicians, journalists, etc. the risk is still serious.
Naturally, we recommend applying any vendor patches which may be released to counter these vulnerabilities as soon as they become available. In the meantime, there are steps that can be taken to attempt to minimise risk:
Disable HTML Email – Frequently recommended by the security industry, disabling the rendering of HTML email will prevent your email client from parsing image links (among other things). While this doesn’t guarantee safety, it removes many potential avenues of attack within email content. Note that this is specifically disabling the viewing of HTML email which you have received, as opposed to simply changing the default format in which you write and send messages.
Disable automatic decryption in your email client – Note that this does not mean stopping the use of PGP or S/MIME. It simply means that your email client no longer handles the decryption for you. The EFF provide details on how to take this step in Thunderbird, Apple Mail, and iOS Mail.
As ever, Forcepoint Security Labs will continue to monitor for new developments and attacks in the wild.
