EFail

Overview

On May 14th, 2018, a group of German security researchers, lead by Sebastian Schinzel, disclosed a vulnerability believed to be in the PGP and S/MIME encryption for email. The vulnerability appears when an attacker has gained access or intercepted encrypted emails and manipulates the HTML content of the message, such as images or styles, and then sends the maliciously crafted email to a recipient. Upon opening the message in an email client it is decrypted, along with the external maliciously altered content, allowing the attacker to gain access to any plaintext within the email. The majority of mail clients in use today are impacted by this vulnerability, including Outlook, Gmail, and iOS Mail.  A specific list is provided at the end of this document.

Attack Details

There are two separate attacks in which the attacker is required to have exfiltration channels in place in order to obtain the encrypted emails and these channels can be set up by having access to a client’s system, server, network traffic, or compromising email accounts directly.

The first attack is called “Direct Exfiltration” in which an attacker utilizes Apple Mail, iOS Mail, or Mozilla Thunderbird to view the encrypted emails in plaintext. The attack requires the attacker to send an email that contains three parts with the first part containing the HTML content-type within it, the second part is an image src attribute that contains the ciphertext of the PGP or S/MIME encryption, the third section would then close the image src attribute. Once this email is sent to the victim is opened, it allows the external content to be loaded in plain text within emails is then exfiltrated to the attackers to view.

The second attack takes advantage of the ability to attack encrypted messages if you know any of the plaintext. Since most encrypted messages start with “Content-type: multipart/signed,” it is possible to generate an encrypted gadget derived from this known plaintext containing HTML tags and inject it into existing messages. Then, when the reader opens the message, the client sends the plaintext back to the attacker.

Potential Impact

An attacker who is able to inject the required HTML content into an encrypted message in transit can use the HTML payload to recover the plaintext of the encrypted message.

The attacker will have to get in between the sender and the recipient in order to inject the payload or get onto the system containing an encrypted mailbox. Getting into position to carry out either attack is difficult.

What You Should Do

Since the attack scenarios rely on HTML formatted email, disabling HTML rendering in your mail client is advisable and disallow external links to be loaded within email clients. While not a foolproof mitigation in all mail clients, until vendors release patches, it is the only mitigation. When patches are released for your mail client, deploy them as soon as possible. Mozilla promised updates by the end of the week, while Apple said it will have patches “soon.” Microsoft has not yet stated its plans. In the meantime, be careful about sending sensitive information over email.

For a list of impacted mail clients please refer to the list below provided by EFAIL researchers:

EFAIL Table

Table from, “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels (draft 0.9.0)” by Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jorg Schwenk