CVE-2017-17688 - Vulnerability Details

The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Mail
Bloop	Airmail
Emclient	Emclient
Flipdogsolutions	Maildroid
Freron	Mailmate
Horde	Horde Imp
Microsoft	Outlook
Mozilla	Thunderbird
Postbox-inc	Postbox
R2mail2	R2mail2
Roundcube	Webmail

Configuration 1 [-]

OR	cpe:2.3:a:apple:mail:-:::::::*
	cpe:2.3:a:apple:mail:-:::::iphone_os::
	cpe:2.3:a:bloop:airmail:-:::::::*
	cpe:2.3:a:emclient:emclient:-:::::::*
	cpe:2.3:a:flipdogsolutions:maildroid:-:::::::*
	cpe:2.3:a:freron:mailmate:-:::::::*
	cpe:2.3:a:horde:horde_imp:-:::::::*
	cpe:2.3:a:microsoft:outlook:2007:::::::*
	cpe:2.3:a:mozilla:thunderbird:-:::::::*
	cpe:2.3:a:postbox-inc:postbox:-:::::::*
	cpe:2.3:a:r2mail2:r2mail2:-:::::::*
	cpe:2.3:a:roundcube:webmail:-:::::::*

No data.

References

Link	Providers
http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html
http://www.securityfocus.com/bid/104162
http://www.securitytracker.com/id/1040904
https://efail.de
https://efail.de/
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html
https://news.ycombinator.com/item?id=17066419
https://nvd.nist.gov/vuln/detail/CVE-2017-17688
https://protonmail.com/blog/pgp-vulnerability-efail
https://twitter.com/matthew_d_green/status/995996706457243648
https://www.cve.org/CVERecord?id=CVE-2017-17688
https://www.patreon.com/posts/cybersecurity-15-18814817
https://www.synology.com/support/security/Synology_SA_18_22

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-05-16T19:00:00

Updated: 2024-08-05T20:59:17.546Z

Reserved: 2017-12-15T00:00:00

Link: CVE-2017-17688

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-05-16T19:29:00.223

Modified: 2024-11-21T03:18:27.723

Link: CVE-2017-17688

Redhat

Severity : Moderate

Publid Date: 2018-05-14T00:00:00Z

Links: CVE-2017-17688 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object