Skip Ribbon Commands
Skip to main content
Computer Security Incident Response Team of Mauritius (CERT-MU)

VN-2018-36


OpenPGP CFB Mode Authentication Flaw Lets Remote Users Decrypt and Obtain Potentially Sensitive Information from the Target User's Email Client
Severity Rating: Low
Systems Affected: Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Description
A vulnerability was reported in OpenPGP. A remote user can decrypt and obtain potentially sensitive information on the target system.
A remote user with access to a target user's PGP encrypted email message can exploit a property of Cipher Feedback Mode (CFB) by modifying known plaintext blocks (such as MIME headers). When the target user decrypts and views the modified email message, the target user's mail client will parse the resulting modified HTML content and disclose the original plaintext to a remote URL.
This exploit is the "CFB gadget" attack method of the vulnerability referred to as "EFAIL".
Various email clients or email client plugins that use OpenPGP or implement the PGP standard are affected.
Impact
A remote user with access to a target user's encrypted email message can obtain decrypted plaintext from the target user's mail client.
The original advisory is available at:
Solution
No solution was available at the time of this entry.
However, the Electronic Frontier Foundation has recommended that users of PGP-based email clients disable and/or uninstall tools that automatically decrypt PGP-encrypted email.
More information is available on
Vendor Information
OpenPGP
 
CVE Information
 
References
Security Tracker
Contact Information
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis