Email Client Spoofing Vulnerabilities
Security researchers have released details of several vulnerabilities in various implementations of the OpenPGP and S/MIME email encryption standards.
Summary
Security researchers have released details of several vulnerabilities in various implementations of the OpenPGP and S/MIME email encryption standards.
Threat details
They claim that a remote attacker could exploit these vulnerabilities to spoof email signatures in most popular email clients.
The vulnerabilities all appear to arise as result of poor or inconsistent implementations of the standards, with the researchers identifying five primary types of vulnerability:
- CMS Mishandling - Vulnerabilities arising from mishandling of the S/MIME container format, Cryptographic Message Syntax (CMS), which can result in contradicting header and signature information.
- MIME Wrapping - Flaws in how clients handle partially signed messages, that can be exploited to force to display incorrect signatures while verifying unrelated signatures.
- ID Binding - Clients failing to properly bind sender identities to messages, which can result in an attacker displaying valid signatures when sending malicious messages.
- GPG API Injection - Failures to correctly parse inputs can allow arbitrary stings to be injected into GPG status API and logging messages. These can be used to display false or misleading false messages to users.
- UI Redressing - Unprotected signature UI elements that can be mimicked by an attacker to display valid signatures.
For further information:
Remediation steps
Last edited: 14 February 2020 2:52 pm