From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


The E-FAIL [1] attack takes use of flaws in the OpenPGP and S/MIME protocols to reveal the plaintext of encrypted emails. In short, EFAIL abuses the active content in HTML emails, such as externally loaded images or styles, and leaks plaintext via the requested URL. To create these exfiltration channels, the attacker must first access encrypted emails by, for example, eavesdropping on network traffic, destroying email accounts, email servers, backup systems or client computers. These emails may even have been collected many years ago. The attacker modifies the encrypted email in some way and sends the modified encrypted email to the victim. The victim’s email client decrypts the email and loads all external content to reveal the plaintext to the attacker.

In this dokumentation will will concentrate on the three official CVE numbers for the CBC/CFB gadget attacks:

  • CVE-2017-17688: OpenPGP CFB gadget attacks [2]
  • CVE-2017-17689: S/MIME CBC gadget attacks [3]
  • CVE-2019-14664: Direct Exfiltration [4]

There are more vulnerabilities that target the OpenPGP protocol's specifications. Some OpenPGP implementations may be broken as a result of this public certificate poisoning. CVE-2019-13050 is another name for this vulnerability: PGP Keyservers are being targeted for certificate spamming attacks.

Direct Exfiltration Channels in Email Clients

Direct Exfiltration attacks exploit vulnerabilities in Apple Mail, iOS Mail, and Mozilla Thunderbird to directly leak the plaintext of encrypted emails. These vulnerabilities can be fixed in the corresponding email client. The attacker creates a new multipart email with three paragraphs of text, as shown below 3.3 . The first is a piece of HTML text that is essentially an HTML image tag. Note that the src attribute of this image tag is opened with quotes, not closed. The second body contains PGP or S/MIME ciphertext. The third is also an HTML body part that disables the src attribute of the first body part

Example of an E-Mail[5]
Example of an E-Mail[6]

This email is then sent to the victim by the assailant. The client of the victim decrypts the second encrypted body part and inserts the three body parts into the HTML email as illustrated below. 3.4. Note that the src attribute of the image tag in line 1 is disabled in line 4, so the URL includes all four lines.

decrypted cipher text[7]

Then, the email client URL encodes all non-printable characters (e.g. ”20” is a space) and requests the image from that URL. Because the plaintext of the encrypted email is contained in the URL route, the victim’s email client delivers the plaintext to the attacker. Direct exfiltration EFAIL attacks are applicable to PGP and S/MIME encrypted emails.

Vulnerable email programs to the knowledge of the security researchers who discovered the Efail vulnerability.[8]

The CBC/CFB-Gadget-Attack

First, we’ll go through the new CBC/CFB gadget attacks, which take use of flaws in the OpenPGP and S/MIME specifications to steal plaintext.The concept of CBC gadget in S/MIME is depicted in the diagram below. An attacker can precisely edit plaintext blocks if they know the plaintext due to the characteristics of the CBC mode of operation. As seen in 3.1 (a), S/MIME-encrypted emails frequently begin with ”Content type: multipart/signed,” indicating that the attacker has at least one complete plaintext block. It can then create a canonical plaintext block with zeros as its content, as seen in 3.1 (b). The block pair X and C 0a is referred to as a CBC device. It then appends CBC gadgets to the encrypted plaintext to insert an image tag in step 3.1 (c). When the user opens the attacker email, this creates a single piece of encrypted text that exfiltrates its own plaintext. OpenPGP employs the CFB mode of operation, which has cryptographic features that are extremely similar to CBC and allows the same attack to be carried out with CFB gadgets. The distinction is that any standard-conforming client will be vulnerable, and each vendor will be free to devise their own mitigations, which may or may not prevent the attacks. As a result, it will be important to update the specification in the long run in order to uncover and record changes that address the underlying primary causes of the vulnerabilities.

CBC gadgets in S/MIME[9]

Despite the fact that the CBC/CFB gadget attacks on PGP and S/MIME are theoretically similar, the conditions for a successful attack differ significantly. Attacking S/MIME is simple, because by sending a single designed S/MIME email to the target, an attacker can break several S/MIME encrypted emails. Modern OpenPGP implementations, unlike S/MIME, include a Modification Detection Code (MDC) that may identify modified plaintexts and so prevent the CFB gadget attack. However, we discovered that several clients only displayed the updated plaintext after issuing a warning to the user for invalid MDCs.

Despite the MDC, the CFB gadget attack was possible. PGP also compresses the plaintext before encrypting it, making guessing known plaintext bytes more difficult. Based on our current findings, the CFB device attack against PGP has a success rate of about one out of every three attempts. Plaintext compression, we believe, is more of a technical snag than a fundamental restriction of the EFAIL attacks, and that further research will make the attacks more efficient.


To continue using email encryption securely, users must implement the following points to prevent E-Fail attacks. This section is divided in to three terms to visualize the urgency of each implementation.


Active content in the email client must be disabled. This includes HTML code execu- tion and the reloading of external material, which is frequently authorized for aesthetic reasons. E-mail servers and e-mail clients must be secured against unauthorized access attempts.Moreover, in the case of OpenPGP, you can decrypt the e-mails in an external program instead of in the mail client, so that an attack comes to nothing. Short term: No decryption in email client. Decrypting S/MIME or PGP emails in a separate program outside of your email client is the easiest strategy to avoid EFAIL attacks. Decrypt incoming encrypted emails by copy and pasting the ciphertext into a different program that handles the decryption for you after deleting your S/MIME and PGP private keys from your email client. In this manner, email clients are unable to initiate exfiltration channels. This is currently the safest option with the downside that the process gets more involved. Short term: Disable HTML rendering. The EFAIL attacks target active content, which is often in the form of HTML pictures, styles, and other elements. The most common approach of fighting EFAIL is to disable the rendering of incoming HTML emails in your email client. It’s worth noting that email clients have other possible backchannels that aren’t linked to HTML, but they’re more difficult to attack.


Update E-Mail client. Vendors of the email clients will publish patches that either fix the E-Fail vulnerabilities or make them much harder to exploit.


Update OpenPGP and S/MIME standards. The EFAIL attacks exploit flaws and undefined behavior in the MIME, S/MIME, and OpenPGP standards.As a result, standards must be changed, which will take time. Update: Our advice to dep- recate the SE packet type and not show updated ciphertexts is reflected in the current draft of OpenPGP RFC4880.[CalAD] The CFB gadget attacks can also be prevented by updates, the programs just have to evaluate the MDC correctly (which GnuPG does by now, an error in the MDC check now leads to termination) and reject the outdated SE packets so that the attacks are no longer possible. The CBC gadget attacks cannot be properly prevented until an updated S/MIME standard is released. Until that time comes, individual developers will have to develop their own solutions


Encryption with PGP and S/MIME is not nearly as reliable as thought. Due to insufficient standards, outdated technology and faulty programs, attackers could gain possession of encrypted e-mails sent. Neither S/MIME nor OpenPGP can sufficiently ensure the security of encrypted messages sent. An attacker who intercepts and manipulates encrypted emails can acquire access to at least some of the plaintext of the communication. In reality, this flaw, known as ”efail,” affects all email encryption applications, rang- ing from Outlook and Windows Mail to Thunderbird and Apple Mail. The situation is particularly dramatic for S/MIME: it is mainly used in corporate environments, and researchers finally announced that the standard is irretrievably broken. However, even the basic PGP has serious problems that can be used to carry out quite targeted at- tacks. However, there is hope that updates from OpenPGP extension vendors (like Enigmail [MKP+17]) can alleviate this situation, at least in the medium term. This article delves into the technical details of the vulnerabilities, which may be seen through electronic bug assaults. The best way to protect oneself in the current environment is to avoid sending very incendiary messages via email. Preventative steps such as deactivating HTML display and refreshing external elements such as photos can greatly reduce the severity of the problem. Messenger communications can be encrypted end-to-end as a simple option. Unlike OpenPGP and S/MIME, it uses cutting-edge encryption and is unaffected by current email-related difficulties. It may also be used to securely transmit files. Signal’s effectiveness in managing sensitive data communicated over the Internet has been demonstrated several times in practice.


Ausgewählte Kapitel der IT-Security ILV