OpenPGP & S/MIME Mail Client Vulnerabilities

A number of vulnerabilities in the OpenPGP and S/MIME email encryption standards have been disclosed by a group of researchers.

Threat ID:: CC-2398
Category:: Exploit
Threat Severity:: Medium
Threat Vector:
Published:: 16 May 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A number of vulnerabilities in the OpenPGP and S/MIME email encryption standards have been disclosed by a group of researchers.

Threat details

They claim these could be exploited by a remote attacker to gain access to plain text versions of encrypted email messages.

The first vulnerability describes how an intentionally misconfigured HTML object can be used to obtain decrypted messages. The example the researchers give encloses the encrypted text within an HTML image tag. When this email is received and decrypted by an affected mail client it will send a URL requesting the image file to the sender; as the HTML tag enclosed the text this URL contains the decrypted text, at which point the sender has access to it.

The second two vulnerabilities describe how specific cryptographic attacks can be used to identify where to inject tags in order to exploit the first vulnerability.

For further information

Remediation steps

Type	Step
	At the time of publication there is no known solution to fully rectify these vulnerabilities; however, the researchers have produced several partial mitigation suggestions. Decrypt mail outside of the mail client to prevent the later two vulnerabilities being exploited. Disable HTML rendering. Disable remote content loading. All major mail client vendor have announced updates are being produced for their clients to rectify these vulnerabilities. Users are advised to apply these updates as they become available.

Type

Step

At the time of publication there is no known solution to fully rectify these vulnerabilities; however, the researchers have produced several partial mitigation suggestions.

Decrypt mail outside of the mail client to prevent the later two vulnerabilities being exploited.
Disable HTML rendering.
Disable remote content loading.

All major mail client vendor have announced updates are being produced for their clients to rectify these vulnerabilities. Users are advised to apply these updates as they become available.

CVE Vulnerabilities

Status

CVE-2017-17688

Status

CVE-2017-17689

Last edited: 17 February 2020 12:51 pm