#VU12649 Information disclosure - CVE-2017-17689
Published: May 15, 2018 / Updated: August 27, 2020
Vulnerability identifier: #VU12649
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-17689
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Software vendor:
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to improper access controls. A remote attacker with access to a target user's S/MIME encrypted email message can exploit a property of Cipher Feedback Mode (CFB) by modifying known plaintext blocks (such as MIME headers). When the target user decrypts and views the modified email message, the target user's mail client will parse the resulting modified HTML content and disclose the original plaintext to a remote URL.
This exploit is the "CFB gadget" attack method of the vulnerability referred to as "EFAIL".
Remediation
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.