Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-17689

Опубликовано: 14 мая 2018
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.

Отчет

The research paper talks about use of HTML as a back channel to create an oracle for modified encrypted emails. HTML emails which use external links like "" can cause security issues if they are honored by the MUAs. Due to flaws in MIME parsers many MUAs seem to concatenate decrypted HTML mine parts which makes it easy to plan such snippets in HTML emails. Please refer to https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html about how GnuPG can mitigate this flaw. For Thunderbird, this vulnerability was known as CVE-2018-5162 and resolved in 52.8.

Меры по смягчению последствий

The easiest way to mitigate this vulnerability is not to use HTML emails. If you really need to use them ensure that MUA clients disable external links embedded in HTML emails. For example in thunderbird email client, Edit->Preferences->Privacy->Disable "Allow remote content in messages".

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6kdepimWill not fix
Red Hat Enterprise Linux 6thunderbirdNot affected
Red Hat Enterprise Linux 7kdepimWill not fix
Red Hat Enterprise Linux 7thunderbirdNot affected
Red Hat Enterprise Linux 8thunderbirdNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1577909S/MIME: CBC gadget attacks allows to exfiltrate plaintext out of encrypted emails

EPSS

Процентиль: 63%
0.00447
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-17689

CVSS3: 5.9
ubuntu
больше 7 лет назад

The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.

nvd логотип

CVE-2017-17689

CVSS3: 5.9
nvd
больше 7 лет назад

The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.

debian логотип

CVE-2017-17689

CVSS3: 5.9
debian
больше 7 лет назад

The S/MIME specification allows a Cipher Block Chaining (CBC) malleabi ...

github логотип

GHSA-xv45-9768-g2mm

CVSS3: 5.9
github
больше 3 лет назад

The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.

suse-cvrf логотип

openSUSE-SU-2018:1393-1

suse-cvrf
больше 7 лет назад

Security update for enigmail

EPSS

Процентиль: 63%
0.00447
Низкий

5.3 Medium

CVSS3