Year: 2018

EFAIL Opens Up Encrypted Email to Prying Eyes

A set of vulnerabilities in the encryption technologies used to secure sensitive emails threatens to expose corporate communications as well as the messages of at-risk users such as journalists, political dissidents and whistleblowers operating in hostile environments.

However, there is some debate as to how serious the issues are.

The flaws, collectively dubbed EFAIL by the team of European researchers who discovered it, affect the end-to-end encryption protocols known as OpenPGP and S/MIME.

Email confidentiality is partly protected by Transport Layer Security, but OpenPGP offers an additional layer of end-to-end encryption specifically built to avoid the prying eyes. S/MIME meanwhile is an alternative standard for email end-to-end encryption that is typically used to secure corporate email communication clients, such as Outlook.

According to the researchers, EFAIL affects clients that use a graphical user interface, including Thunderbird with Enigmail, Apple Mail with GPGTools and Outlook with Gpg4win. Secure messaging services such as Signal are not impacted, according to the Electronic Frontier Foundation, which worked with the research team to publicize the problem.

Describing the flaw in a tweet, Sebastian Schinzel, research team member and a professor of computer security at Münster University of Applied Sciences, wrote: “They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.” The researchers further elaborated the attack methods in documentation (PDF) on EFAIL released Monday.

“EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs,” they wrote. “The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”

To create these exfiltration channels, the attacker needs access to the encrypted emails in the first place, so a first step in any attack would be eavesdropping on network traffic or compromising email accounts, email servers, backup systems or client computers in order to collect messages intended for decryption.

Matthew Green, assistant professor at the Department of Computer Science at Johns Hopkins University and crypto-expert broke down the attack in simpler terms: “In a nutshell, if I intercept an encrypted email sent to you, I can modify that email into a new encrypted email that contains custom HTML,” he tweeted. “In many GUI email clients, this HTML can exfiltrate the plaintext to a remote server. Ouch.”

The attack works on past trails of messages; so, for example, if a regime has been stealthily collecting emails sent by suspected dissidents in hopes of someday decrypting them, EFAIL will allow a nation-state to force the person’s email client to now do so.

How Serious?

While on its face EFAIL seems alarming, a debate is in play as to whether the danger it poses has been exaggerated, with PGP vendors noting that it was a known flaw going back for 17 years, and one that they have addressed.

Werner Koch, principle author at Gnu Privacy Guard, which is a free implementation of the OpenPGP standard, opened a discussion on the issue in which he said that the attack should not work if authenticated encryption (GnuPG’s is called modification detection code, or MDC) is in use, which is the preferred configuration. If it’s not, GnuPG returns an alert.

“In response to that, they said that they did a simple rollback to the non-MDC encryption,” he said. “This is a pretty old thing which we are aware of, and the reasons why a warning has always been printed in that case.”

Enigmail’s Robert Hansen tweeted that “GnuPG has given warnings on missing/malformed [authentication encryption] for years.” He then added that the problem also has been patched in Enigmail for some time.

“Although the EFAIL authors did find some problems in Enigmail – for which we’re deeply sorry, and plead that we’re only human — we fixed them months ago,” he tweeted, adding that users on the 1.9.9 distro should upgrade to 2.0.

Some have been arguing that EFAIL isn’t a problem for OpenPGP as long as the implementations are done correctly (in addition to the aforementioned authenticated encryption, this includes not using HTML emails, which thwarts the problem). Koch for instance said that OpenPGP’s message authentication that thwarts EFAIL (in place since 2001) can’t be made mandatory because “some implementations haven’t kept up.”

Yet others take issue with that line. “No, in 2018 you don’t get to claim the high ground and blame users and implementations if your crypto API returns the plaintext on a decryption error,” said Google cryptographer Filippo Valsorda, writing on Twitter. “At most you can say ‘sorry we are a legacy system, no one knew better then, it’s time to migrate off.'”

“If you were using GnuPG on the command line and checking your error results, it’s absolutely true that you’re fine,” Green tweeted, adding that “If you’ve been using (one of several) GUI clients with PGP encryption, you were anything but fine.” He also noted that “PGP clients are vulnerable because 17 years after a vulnerability was known, the mitigation was not made a default in GnuPG and defense was instead left to PGP clients, which also make a convenient scapegoat when it goes pear-shaped.”

Also, Robert Graham at Errata Security examined the flaws and came away with a different take: “It only works if you’ve enabled your email client to automatically grab external/remote content,” he said in a post. “It seems to not be easily reproducible in all cases.”

Outlook Mail Most Affected

In any event, the issue appears to be more serious for S/MIME than it is for OpenPGP. The researchers said as much in detailing one type of exploitation:

“Attacking S/MIME is straightforward and an attacker can break multiple (in our tests up to 500) S/MIME encrypted emails by sending a single crafted S/MIME email to the victim,” they said in their paper. “Given the current state of our research, the CFB gadget attack against PGP only has a success rate of approximately one in three attempts. The reason is that PGP compresses the plaintext before encrypting it, which complicates guessing known plaintext bytes.”

Fixes

As for mitigations, those using HTML clients with these plug-ins have “currently no reliable fixes for the vulnerability,” Schinzel tweeted. “If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.” Disabling the client will also prevent the ability for anyone looking over one’s shoulder to decrypt past messages.

The EFF, which in its alert published specific ways to disable it in specific clients, echoed the assessment.

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email,” wrote the EFF. “Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels…and temporarily stop sending and especially reading PGP-encrypted email.”

Graham had a different take: “Instead of disabling PGP/S/MIME, you should make sure your email client hast remote/external content disabled — that’s a huge privacy violation even without this bug.”

Samsung Patches Six Critical Bugs in Flagship Handsets

Samsung began rolling out patches over the weekend to fix six critical bugs found in its flagship Android handsets as part of its May patch bulletin. Flaws range from a remote code execution bug to a buffer overflow vulnerability, plus a peek-and-poke command bug that leaves memory locations open on targeted devices.

All six of Samsung’s critical vulnerabilities patched this month were identified in Google’s April Android Security Bulletin. Google released its May Android Security Bulletin last week. In all, Samsung disclosed and patched 27 vulnerabilities, 21 identified as high severity.

Five of the critical bugs identified by Samsung are tied to Qualcomm and its Snapdragon processors used in Samsung handhelds, but also the chipmaker’s Snapdragon Wear and Automotive platforms. Impacted are Samsung handheld models ranging from its Galaxy family of S9, Note 8 and S8 phones.

One critical vulnerability is an RCE bug (CVE-2017-13292) identified by Google last month that could “enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.” The flaw, which has a CVSS score of 9.8, is tied to a third-party Broadcom wireless chipset driver (bcmdhd).

Another vulnerability (CVE-2017-18128), which is still undergoing analysis, also has a CVSS score of 9.8. That bug is described by the National Vulnerabilities Database as “improper access control while configuring MPU (Memory Protection Unit) protecting error correction registers may potentially lead to exposure of related secured data.”

An additional bug (CVE-2017-18146) affects Samsung handsets and the Elliptic Curve Digital Signature Algorithm (ECDSA) signature verification component. ECDSA is a variant of the Digital Signature Algorithm and often used by Android devices to verify the authenticity and maintain the integrity of SMS messages, according to an IEEE abstract.

“In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear… in some corner cases, ECDSA signature verification can fail,” according to the NVD description of the CVE.

The “peek and poke” portion of the CVE-2018-3591 vulnerability refers to a technique most often referenced in ancient (i.e., circa 1980s) computer systems where a user is able to “peek” into a memory address and “poke” it, meaning change the value.

The peek-and-poke vulnerability is described as impacting the Snapdragon Mobile platform where the “default build configuration of device programmer in BOOT.BF.3.0 enables the flag SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM which will open up the peek and poke commands to any memory location on the target.”

The CVEs outlined by Samsung also impact a number of other Android devices ranging from Google Pixel 2, HTC U11, LG V30 and Motorola Moto Z Force (second-gen), to name a few.

You may have Missed:

Verified by MonsterInsights