ADVISORY: Efail…PGP Has an Email Problem?

Email continues to be one of the most popular ways to communicate in the world today. And given the rapidly evolving threat landscape, email encryption has never been more critical. Pretty Good Privacy (PGP) has long been a trusted platform for encrypted messaging and remains a popular method of sending secure, private email.

On May 14, a research team led by Sebastian Schinzel, researcher and professor of computer security at Münster University of Applied Sciences, disclosed critical vulnerabilities in implementations of several email clients and the OpenPGP and S/MIME standards that could be exploited to disclose sensitive information by exfiltrating plaintext of encrypted messages. It’s also possible that old messages which were previously encrypted could be disclosed.

The research team is using the name Efail to describe these vulnerabilities. They released a technical report with details. Essentially, Efail attacks exploit weaknesses in the various email clients, PGP and S/MIME, by tricking email clients into revealing the plaintext of the encrypted emails to the attacker. In the technical paper, researchers state that for the attack against the email clients that involves direct exfiltration, “EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”

The second issue, named the CBC/CFB Gadget attack, abuses vulnerabilities in the specification of OpenPGP and S/MIME, thereby allowing the attacker to exfiltrate the plaintext from encrypted messages.

After reviewing the research, the Electronic Frontier Foundation (EFF) also stated it could “confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

There’s an ongoing debate in the cybersecurity community whether these issues are in the specifications or the email clients. Some cybersecurity professionals have expressed concerns that the issue also affects the core protocol of PGP, including file encryption. GNU Privacy Guard tweeted, “They figured out mail clients which don’t properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.”

Due to the risk and severity of the vulnerabilities, it’s likely the affected vendors will release patches to mitigate both these issues before a comprehensive evaluation of the PGP and S/MIME specifications are conducted.


There are currently no reliable fixes for these issues. There’s a large list of vendors affected (see section titled “Responsible Disclosure”).

Tenable Research is closely following the developing situation for these vulnerabilities:

  • CVE-2017-17688: OpenPGP CFB gadget attacks
  • CVE-2017-17689: S/MIME CBC gadget attacks

If OpenPGP is patched to detect and discard messages with modified ciphertext, Tenable’s container security would detect outdated versions. Similarly, when mail clients take steps to mitigate these issues, Container Security would detect those outdated versions as well.

We’re monitoring the situation and are actively working on releasing checks and plugins to help our customers determine if they’re vulnerable and assess their Cyber Exposure.

Some interim mitigations

  • Don’t decrypt email messages using vulnerable clients. Use a standalone application to decrypt email messages, so that direct exfiltration channels aren’t opened up as a result of these vulnerabilities. This trade-off involves the addition of an extra step when receiving encrypted messages.
  • Disable rendering of remote content in messages on email clients. This reduces the attack surface area and raises the bar for exploitation. However, this will also mean that active content in messages cannot be viewed.
  • Apply patches from vendors as soon as they are available.

Additional information

*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Steve Tilson. Read the original post at: