Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Efail Email Encryption Vulnerabilities Expose OpenPGP Users to Risk

    By
    Sean Michael Kerner
    -
    May 14, 2018
    Share
    Facebook
    Twitter
    Linkedin
      EFAIL

      Security researchers on May 14 announced a new set of vulnerabilities—dubbed Efail—in the widely deployed S/MIME and OpenPGP email encryption technologies.

      In a 21-page academic paper, the researchers from Munster University, Ruhr University Bochum and KU Leuven detail Efail, which could potentially enable an attacker to read emails that have been encrypted with the OpenPGP and S/MIME standards.

      “We describe novel attacks built upon a technique we call malleability gadgets to reveal the plaintext of encrypted emails,” the researchers wrote. “We devise working attacks for both OpenPGP and S/MIME encryption, and show that exfiltration channels exist for 23 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.”

      There are two different vulnerabilities detailed in the Efail paper: CVE-2017-17688 for the OpenPGP attacks and CVE-2017-17689 for S/MIME. Among the popular email clients the researchers found to be at risk are Apple Mail, iOS Mail and Mozilla Thunderbird. The Efail attacks do not provide attackers with a method to access a victim’s email account, but rather are all about the encryption layer.

      “The Efail attacks require the attacker to have access to your S/MIME or PGP encrypted emails,” the Efail website FAQ states. “You are thus only affected if an attacker already has access to your emails. However, the very goal of PGP or S/MIME encryption is the protection against this kind of attacker.”

      Technical Details

      The research paper details multiple approaches for using the vulnerabilities to decrypt S/MIME and OpenPGP encrypted emails. In one attack method, the researchers take advantage of Cipher Feedback Mode (CFB) in OpenPGP and Cipher Block Chaining (CBC) in S/MIME. According to the researchers, both CFB and CBC enable an attacker to reorder, remove or insert ciphertext blocks, or to perform meaningful plaintext modifications without the encryption key. 

      “Malleability of these two encryption modes is well-known and has been exploited in many attacks on network protocols like TLS, IPsec, or SSH, but it has not been exploited in plaintext-recovery attacks on email standards,” the researchers wrote.

      Another attack method that the researchers detailed is a relatively simple approach that exploits the interaction of HTML with S/MIME and OpenPGP.

      “In the most straightforward example of our attacks, the adversary prepares a plaintext email structure that contains an <img> element, whose URL is not closed with quotes,” the researchers wrote.

      The research paper details a method whereby the simple omission of not closing the URL with quotes can enable an attacker to get access to the decrypted email contents.

      “It is astonishing that these vulnerabilities are still present in current versions of Thunderbird or Apple Mail,” the researchers wrote.

      Mitigation

      Patching efforts from multiple vendors are underway, but in the near term, the researchers suggest mitigation steps to minimize the risk of exploitation via the Efail attack methods.

      For the HTML risk, the researchers advise that OpenPGP and S/MIME users simply disable HTML rendering.

      “The Efail attacks abuse active content, mostly in the form of HTML images, styles, etc.,” the Efail site states. “Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking Efail.”

      Another short-term fix suggested by security researchers is that OpenPGP and S/MIME users decrypt emails outside of their primary email client. The Efail attacks rely on external communication, and if a user is decrypting emails in a stand-alone application, the risks are somewhat muted.

      Beyond short-term mitigations, there are longer-term efforts needed to fully secure S/MIME and OpenPGP based email encryption as well.

      “The Efail attacks exploit flaws and undefined behavior in the MIME, S/MIME, and OpenPGP standards,” the researchers wrote. “Therefore, the standards need to be updated, which will take some time.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×