Main Vulnerability Database Vulnerabilities #VU12646

Information disclosure - CVE-2017-17688

Published: May 14, 2018 / Updated: August 27, 2020

Vulnerability identifier: #VU12646

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-17688

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor:

Affected software:

Detailed vulnerability description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper access controls. A remote attacker with access to a target user's PGP encrypted email message can exploit a property of Cipher Feedback Mode (CFB) by modifying known plaintext blocks (such as MIME headers). When the target user decrypts and views the modified email message, the target user's mail client will parse the resulting modified HTML content and disclose the original plaintext to a remote URL.

This exploit is the "CFB gadget" attack method of the vulnerability referred to as "EFAIL".

Various email clients or email client plugins that use OpenPGP or implement the PGP standard are affected.

How to mitigate CVE-2017-17688

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://efail.de/efail-attack-paper.pdf

Information disclosure - CVE-2017-17688

Detailed vulnerability description

How to mitigate CVE-2017-17688

Sources

Please verify you're human