Efail Vulnerability Targeting PGP Email Clients

Introduction

European researchers (from the Universities of Münster, Bochum and Leuven) recently published a study dubbed Efail, uncovering vulnerabilities with the use of OpenPGP and S/MIME open encryption standards in end-to-end secure email clients. The S/MIME encryption standard is frequently deployed by enterprises to secure all outgoing and incoming emails. OpenPGP is mostly preferred by individuals such as journalists in conflict areas and whistle-blowers looking to protect the privacy and confidentially of sensitive information over email communications.

The actual problem, contrary to what have been reported by the news media, is not based on a weakness of PGP encryption neither algorithmic nor functional. Rather, it is a well-known issue mitigated almost 20 year back by the authors of the encryption standards and still not correctly implemented in certain email clients. As an open standard, PGP is widely available and can be implemented by any developer. As result, many software libraries and plugins have not undergone the same level of quality/security reviews introducing thus vulnerabilities.

This Info Note reviews the findings of the Efail study and draws recommendations to PGP end-to-end secure email users.

Contextual Information

In the Efail study, researchers described two different techniques used to materialize the attack: direct exfiltration and “malleability gadgets”, able to leak the plaintext of encrypted emails. The attacks proved successful in 25 out of 35 tested email programs using the S/MIME encryption standard and in 10 out of 28 tested programs using OpenPGP.

The first technique used, direct exfiltration channel, abuses vulnerabilities in email clients using HTML format as a backchannel. The attacker creates a new multipart email with three body parts: a first body part containing an image tag where the “src” attribute is opened with quotes but not closed; a second body part containing the PGP or S/MIME ciphered text and a third part closing the “src” attribute of the first body part. The victim’s email client encodes all non-printable characters and requests the image using the URL referenced in the “src” attribute to a server controlled by the attacker, exposing the plaintext of the encrypted email.

The mitigation of this first attack is widely known and largely documented by the PGP standards authors: email clients to avoid combining the use of plain text and cyphered text in the same message and avoid using active content in secure emails.

The second technique, malleability gadget attack, abuses vulnerabilities in the implementation of OpenPGP and S/MIME in email clients when checking the consistency and integrity of the cyphered text. Conducting a precise modification of a plaintext block known to the attacker (the string “Content-type: multipart/signed” is often used in emails heading), a new canonical plaintext block can be formed with an image tag injected into the encrypted message. This creates a single encrypted body part that exfiltrates its own plaintext when the user opens the attacker email using the “src” attribute described in the first technique.

The mitigation of this second technique was identified almost 20 years back with the implementation of Modification Detection Code (MDC). During the decryption process, the decrypted data is hashed and compared with the result stored in the MDC packet. If the results are not equal, should be treated as a decryption failure, and email clients are supposed not to load the decrypted content.

Recommendations

• Review the list of vulnerable email clients in the list provided by Efail researchers.
• Contact the email client vendor and check for the latest updates.
• Disable the use of active content, such as HTML format and the loading of external content.
• Confirm with recipients of your secure emails if they use updated email clients.

Closing Remarks

At its core, PGP remains cryptographically sound and users should continue relying on these standards. Much controversy was generated around the disclosure of these vulnerabilities with members of the Information Security community and Industry contesting the headlines and recommendations produced against the use of PGP. The merits of the Efail study remain with the urgency of correcting these well know problems and advise users on safer implementations. The future of secure email is still unknown as there is no light if a replacement of these almost 30 years old standards will be presented any time soon.