When vulnerabilities are disclosed in well-known and widely used security protocols, the infosec community is quick...
to react, both in terms of finding a fix and debating at length the root cause of the vulnerabilities.
The research team that wrote about newly discovered vulnerabilities in Open Pretty Good Privacy (OpenPGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME) caused additional controversy. Not only was the URL to their research report, "Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels" leaked via a tweet, but because many disagree with their conclusions that the vulnerabilities are inherent flaws in the protocols and with their recommendations for mitigating them. Many in the community believe instead that the vulnerabilities are caused by poor protocol implementations in email clients.
How Efail works
The report explains how the Efail flaws occur in email clients supporting the OpenPGP or S/MIME standards, leaving them vulnerable to a ciphertext feedback mode or a cipher block chaining (CBC) gadget attack, respectively tracked as CVE-2017-17688 and CVE-2017-17689. This enables an attacker to inject content into an encrypted email which could establish an exfiltration channel when the content is decrypted by the victim's email client.
For example, by injecting an HTML image tag, the flaw can enable an attacker to exfiltrate the plaintext as part of an HTTP request when the message is rendered by the email client. The researchers found that some email clients that don't isolate multiple MIME parts can also enable attackers to sandwich encrypted messages between plaintext MIME parts with specially formatted remote resource links. When those messages are decrypted and rendered by the email client in an HTML-based back channel, it eliminates the need to perform gadget attacks.
Any Efail-based attack depends on whether the email client has properly implemented authenticated encryption standards, such as modification detection code (MDC), a cryptographic hash function used as an integrity check to see if messages have been tampered with.
Efail is more effective against S/MIME, as it doesn't currently support MDC, so attackers can exploit the properties of CBC-based encryption to inject the attack into messages. This is probably why Efail appears to affect more clients using S/MIME than OpenPGP.
Robert J. Hansen, an evangelist for GnuPG, a free implementation of the OpenPGP standard, pointed out that when GnuPG sees a message without MDC, it generates the following warning by default: "WARNING: Message was not integrity protected." However, it's then up to the email client to take the appropriate action, such as not displaying the message.
For backward-compatibility reasons, the OpenPGP spec does technically allow for messages that have not been encrypted with MDC, but modern OpenPGP clients shouldn't silently ignore warnings of missing or malformed MDCs, as this can enable the Efail attack. This makes it seem as if it is the developer's implementation and HTML rendering issues with email clients that enable the attacks, and not OpenPGP itself.
The authors' table of affected email clients also shows that not all clients are affected. Whether the OpenPGP and S/MIME protocols should be updated to strictly enforce MDC to prevent an attacker from exploiting the Efail flaws is another matter.
How to defend against it
One suggested method to defend against Efail is to reject all email with HTML attachments, but that is not practical for the majority of enterprises, and Efail attacks are easy to detect at the network perimeter. However, email clients should also be prevented from automatically loading remote resources such as images, as this will not only prevent exfiltration channels from being opened by the email client, but it can also prevent tracking via invisible images.
Enterprises should be aware that although their users' email clients may be Efail safe, there is no way to guarantee that the recipients have updated their software or configurations. This means that there is the possibility of a sender's encrypted message being read by an Efail attacker.
One workaround is to manually encrypt the message body with a tool like gpg4usb or Gpg4win and then paste it into an email. Likewise, incoming emails can be decrypted outside of the email client to prevent the client from opening exfiltration channels.
Whatever people's thoughts on Efail, it shows the importance of keeping all software up to date and ensuring users deploy only the latest and strongest encryption ciphers. This certainly isn't the end of the road for OpenPGP or S/MIME, but many observers think that blockchain-based authentication is the future.