|CERT-In Vulnerability Note
OpenPGP & S/MIME Mail Client Vulnerabilities (Efail)
Original Issue Date:May 15, 2018
Severity Rating: HIGH
- Various email clients or email client plugins that use OpenPGP or implement the PGP standard are affected.
Multiple information disclosure vulnerabilities have been reported in OpenPGP and S/MIME mail client, which a remote attacker could exploit to trigger sensitive information disclosure on the targeted system.
These vulnerabilities exploits a property of Cyber Block Chaining (CBC)/ Cipher Feedback Mode (CFB) by modifying known plaintext blocks (such as MIME headers). The Email clients that supports the OpenPGP or S/MIME standards may be vulnerable to CBC/CFB gadget attack which may allow an attacker to inject content into an encrypted email. This would establish an exfiltration channel when decrypted by the victims email client.
When the target user decrypts and views the modified email message, the target users mail client will parse the resulting modified HTML content and disclose the original plaintext to a remote URL.
- Decrypt mail outside of mail client: Use separate application outside of your mail client to decrypt incoming emails.
- Disable Rendering of HTML: Preventing your email client from rendering HTML. This will prevent the predominant form of establishing exfiltration channels.
- Disable Remote Content Loading: Preventing your email client from loading remote content without permission.
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003