Monday, May 14, 2018

EFail Vulnerabilities in OpenPGP and S/MIME

Efail (PDF, Hacker News, MacRumors, ArsTechnica):

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.


The victim’s client decrypts the encrypted second body part and stitches the three body parts together in one HTML email as shown below. Note that the src attribute of the image tag in line 1 is closed in line 4, so the URL spans over all four lines.

The email client then URL encodes all non-printable characters (e.g., %20 is a whitespace) and requests an image from that URL. As the path of the URL contains the plaintext of the encrypted email, the victim’s email client sends the plaintext to the attacker.


Second, we describe the novel CBC/CFB gadget attacks which abuse vulnerabilities in the specification of OpenPGP and S/MIME to exfiltrate the plaintext.

Matthew Green:

PGP has supported proper optional message authentication (which stops this attack) since 2001, but it can’t be made mandatory because “some implementations haven’t kept up.”


So in summary, PGP clients are vulnerable because 17 years after a vulnerability was known, the mitigation was not made a default in GnuPG and defense was instead “left to PGP clients”, which also make a convenient scapegoat when it goes pear-shaped.


Moving on from the question of who is to blame, there are two neat findings in this work. The first is that most mail clients are (were) way too willing to reach out to remote servers, even when set up not to. This is: yikes.

Update (2018-05-14): See also: Bruce Schneier.

Update (2018-05-15): Howard Oakley:

It appears that macOS High Sierra 10.13.4 does address direct exfiltration of S/MIME email, with the following fix now reported in its security release notes[…]

Update (2018-05-18): See also: Matthew Green.

Comments RSS · Twitter

Leave a Comment