CVE-2017-17688

moderate-risk

Published 2018-05-16

The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification

Do I need to act?

3.3% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (12)

Mail

Airmail

Emclient

Maildroid

Mailmate

Horde Imp

Outlook

Thunderbird

Postbox

R2Mail2

Webmail

Affected Vendors

Microsoft Apple Mozilla Horde Roundcube Bloop Emclient Flipdogsolutions Freron Postbox-Inc R2Mail2

References (20)

Third Party Advisory http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html

Third Party Advisory http://www.securityfocus.com/bid/104162

Third Party Advisory http://www.securitytracker.com/id/1040904

Exploit https://efail.de

Third Party Advisory https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html

Issue Tracking https://news.ycombinator.com/item?id=17066419

Issue Tracking https://protonmail.com/blog/pgp-vulnerability-efail

Third Party Advisory https://twitter.com/matthew_d_green/status/995996706457243648

Issue Tracking https://www.patreon.com/posts/cybersecurity-15-18814817

Third Party Advisory https://www.synology.com/support/security/Synology_SA_18_22