Check for EFAIL vulnerability
Closed, ResolvedPublic


This is a critical vulnerability that potentially allows an attacker to retrieve the plaintext of an encrypted mail.

I don't think we are vulnerable against "Direct Exfiltration". Inidividual parts are rendered separately, and the attack relies on the parser stitching the whole content together to generate the malicious html content.

I think we are vulnerable against "CBC/CFB Gadget Attack" because there the malicious img tag is inserted directly into the decryption result, so there isn't much we can do besides disabling loading of images.

cmollekopf triaged this task as Normal priority.

Upon further inspection it seems like the "CBC/CFB Gadget Attack" can only be executed if an attacker intercepts a message, tampers it appropriately and then forwards it to the recipient.
In such a case the attacker can potentially retrieve the plaintext of that specific email. One potential risk could be that with enough content the private key could be guessed, which would of course be much more severe.
In any case, this is about targeted attacks only I think.

The paper mentions that Authenticated Encryption (AE) would prevent the attack entirely if the email refrains from displaying the content at all if the verification fails (or at least just as plain-text).

cmollekopf closed this task as Resolved.Jul 12 2018, 8:01 AM
cmollekopf claimed this task.