lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 30 Apr 2019 14:33:59 +0200
From: Jens Müller via Fulldisclosure
Subject: [FD] OpenPGP and S/MIME signature forgery attacks in multiple email

In the scope of academic research at Ruhr-University Bochum and Münster
University of Applied Sciences, Germany, various vulnerabilities
regarding the signature verification logic in OpenPGP and S/MIME capable
email clients have been discovered.

While neither OpenPGP nor S/MIME are directly affected, email client
implementations show a poor performance. Popular clients such as Apple
Mail or Thunderbird are vulnerable to signature spoofing on multiple
layers (attack classes).


OpenPGP and S/MIME are the two major standards to encrypt and digitally
sign emails. Digital signatures are supposed to guarantee authenticity
and integrity of messages. In this work we show practical forgery
attacks against various implementations of OpenPGP and S/MIME email
signature verification in five attack classes: (1) We analyze edge cases
in S/MIME's container format. (2) We exploit in-band signaling in the
GnuPG API, the most widely used OpenPGP implementation. (3) We apply
MIME wrapping attacks that abuse the email clients' handling of
partially signed messages. (4) We analyze weaknesses in the binding of
signed messages to the sender identity. (5) We systematically test email
clients for UI redressing attacks.

Our attacks allow the spoofing of digital signatures for arbitrary
messages in 14 out of 20 tested OpenPGP-capable email clients and 15 out
of 22 email clients supporting S/MIME signatures. While the attacks do
not target the underlying cryptographic primitives of digital
signatures, they raise concerns about the actual security of OpenPGP and
S/MIME email applications. Finally, we propose mitigation strategies to
counter these attacks.

*Affected clients:*

The following email clients -- with S/MIME support or PGP plugins --
are fully or partially vulnerable. While most issues are patched now,
some email clients remain vulnerable, especially to minor issues.

Thunderbird (52.5.2), Outlook/GpgOL (16.0.4266), The Bat! (8.2.0), eM
Client (7.1.31849), Postbox (5.0.20), KMail (5.2.3), Evolution (3.22.6),
Trojitá (0.7-278), Apple Mail (11.2), MailMate (1.10), Airmail (3.5.3),
K-9 Mail (5.403), R2Mail2 (2.30), MailDroid (4.81), Nine (4.1.3a),
Roundcube (1.3.4), Mailpile (1.0.0rc2)

*Resulting CVEs:*

CVE-2018-18509, CVE-2018-12019, CVE-2018-12020, CVE-2017-17848,
CVE-2018-15586, CVE-2018-15587, CVE-2018-15588, CVE-2019-8338,
CVE-2018-12356, CVE-2018-12556, CVE-2019-728

*Paper and Exploits:*

- Full paper (to be published at USENIX Security '19):
- Artifacts (.eml testcases to check your own client):
- BSI / CERT Bund press release (German only):

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists