Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2017-17688

Published: 16/05/2018 Updated: 11/04/2024
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Outlook

Vulnerability Summary

The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft outlook 2007

horde horde imp -

flipdogsolutions maildroid -

r2mail2 r2mail2 -

apple mail -

bloop airmail -

freron mailmate -

mozilla thunderbird -

emclient emclient -

postbox-inc postbox -

roundcube webmail -

Vendor Advisories

Debian CVElist Bug Report Logs: enigmail: efail attack against enigmail
Debian Bug report logs - #898630 enigmail: efail attack against enigmail Package: enigmail; Maintainer for enigmail is Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@listsaliothdebianorg>; Source for enigmail is src:enigmail (PTS, buildd, popcon) Reported by: Yves-Alexis Perez <corsac@debianorg> Dat ...
Red Hat: CVE-2017-17688
** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the ...

Github Repositories

https://github.com/jaads/Efail-malleability-gadget-exploit

Exploiting Efail vulnerability in e.g. in Thunderbird

Efail-malleability-gadget-exploit This project provides code to exploit the malleability CFB (CVE-2017-17688) and CBC gadgets (CVE-2017-17689) published by Efail and made available for penetration testing The documentation with all side notes and a detailed introduction can be fount in HTML here or as PDF here Also a summary in form as a presentation can be found here The fi

Recent Articles

S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats
The Register • Shaun Nichols in San Francisco • 14 May 2018

If a hacker can get into your inbox of ciphered messages, they may be able to read the content PGP and S/MIME decryptors can leak plaintext from emails, says infosec Professor

Security researchers have gone public with vulnerabilities in some secure mail apps that can be exploited by miscreants to decrypt intercepted PGP-encrypted messages. The flaws, collectively dubbed EFAIL, are present in the way some email clients handle PGP and S/MIME encrypted messages. By taking advantage of the way the applications handle HTML content of these messages, an attacker could potentially see encrypted messages as plaintext. In other words, decrypt your secret emails. The research ...

Read more...

References

NVD-CWE-noinfohttps://www.patreon.com/posts/cybersecurity-15-18814817https://twitter.com/matthew_d_green/status/995996706457243648https://protonmail.com/blog/pgp-vulnerability-efailhttps://news.ycombinator.com/item?id=17066419https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.htmlhttps://efail.dehttps://www.synology.com/support/security/Synology_SA_18_22http://www.securitytracker.com/id/1040904http://www.securityfocus.com/bid/104162http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898630https://github.com/jaads/Efail-malleability-gadget-exploithttps://nvd.nist.govhttps://www.kb.cert.org/vuls/id/122919
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-21991CVE-2024-32674path traversalCVE-2023-21987denial of servicedosCVE-2024-4647CVE-2024-25519CVE-2024-33612
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook