The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2017-17689 from the MITRE CVE dictionary dictionary and NIST NVD.
The research paper talks about use of HTML as a back channel to create an oracle for modified encrypted emails. HTML emails which use external links like "" can cause security issues if they are honored by the MUAs. Due to flaws in MIME parsers many MUAs seem to concatenate decrypted HTML mine parts which makes it easy to plan such snippets in HTML emails. Please refer to https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html about how GnuPG can mitigate this flaw.
For Thunderbird, this vulnerability was known as CVE-2018-5162 and resolved in 52.8.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 5.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | kdepim | Will not fix |
| Red Hat Enterprise Linux 7 | evolution-data-server | Not affected |
| Red Hat Enterprise Linux 7 | thunderbird | Not affected |
| Red Hat Enterprise Linux 6 | thunderbird | Not affected |
| Red Hat Enterprise Linux 6 | kdepim | Will not fix |
| Red Hat Enterprise Linux 6 | evolution-data-server | Not affected |
The easiest way to mitigate this vulnerability is not to use HTML emails. If you really need to use them ensure that MUA clients disable external links embedded in HTML emails. For example in thunderbird email client, Edit->Preferences->Privacy->Disable "Allow remote content in messages".
Vulmon