UPDATE from May 16, 2018:
In order to proactively protect our corporate customers, who are still encrypting and decrypting their emails via an in-house solution and have not yet booked the Hornetsecurity Encryption Service, from EFAIL, we have also developed a special filter level for attacks according to the EFAIL pattern. The only prerequisite for this is that their email communication runs via the Hornetsecurity servers, which is generally the case with our email security products. The filter level is already activated by default for all our customers who have booked at least the Hornetsecurity spam filter service and. It protects not only against EFAIL, but also against future attacks with similar patterns. +++++ A known vulnerability
is transferred to the PGP
and S/MIME protocols
and takes email manipulation
to a new level. No problem for Hornetsecurity
On Monday, May 14, 2018, a team of security researchers from the University of Applied Sciences Münster, the Ruhr University Bochum and the University of Leuven (Belgium) published a paper
that questions the security of the PGP and S/MIME encryption standards
and thus attracts worldwide attention.
However, the vulnerabilities discovered (CVE-2017-17688 and CVE-2017-17689)
do not affect the protocols themselves, but use an already known vulnerability to decrypt encrypted emails
by the mail client and send them to the attacker.
A prerequisite for the execution of the attacks is that the attacker already possesses emails in encrypted form. To do this, the emails need to be intercepted during transport. The attacker must have previously executed a man-in-the-middle attack (MitM) or compromised a mail server to gain access to the emails passing through him or the server. Only if these requirements are met, the attacker can execute one of the EFAIL attacks
described in the paper.
The authors of the paper present two similar attacking methods to decrypt emails with existing PGP or S/MIME encryption
The first method is quite simple, but limited to certain email clients (Apple Mail, iOS Mail, Mozilla Thunderbird) and any third-party plug-ins installed there:
To do this, the attacker creates an email with three body parts. The first part formats the email as HTML and inserts an image tag with a target website. The quotation marks and the image tag are not closed. This is followed in the second body part by the PGP- or S/MIME-encrypted
text. The third part consists of HTML formatting again and closes the image tag from part one.
If the attacker sends this email to the sender of the encrypted message, it is possible that the message is decrypted and transmitted to the stored website. To do this, the email client must be configured so that it automatically downloads external images without asking the user.
The second way to read PGP
or S/MIME encrypted emails
is a well-known method of how to extract plain text in blocks of encrypted messages.
The attacking scenarios are called CBC attack (S/MIME) and CFB attack (PGP). They determine a known text portion in an encrypted message and overwrites subsequent blocks with their own content. The EFAIL attack
inserts an image tag with a target website into the encrypted text, as described in the first part. If the message is then delivered to the actual recipient of the encrypted message, it is possible that the message is decrypted and transmitted to the attacker.