On Monday morning, Sebastian Schinzel, professor of computer security at the University of Münster in Germany, published a tweet to warn of the discovery of a new security vulnerability concerning OpenPGP and S/MIME e-mail encryption tools.
Following this announcement, management at GNU Privacy Guard software said the vulnerabilities were at the implementation level in e-mail clients.
Vulnerabilities to exflitrate sensitive data
Both vulnerabilities, Direct Exfiltration and CBC/CFB Gadget Attack, could allow an attacker to exfiltrate sensitive data from encrypted emails.
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
— Sebastian Schinzel (@seecurity) 14 mai 2018
They figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.
— GNU Privacy Guard (@gnupg) 14 mai 2018
Protection with Stormshield solutions
Our Stormshield Network Security and Stormshield Endpoint Security solutions do not use OpenPGP or S/MIME encryption tools.
Regarding our Stormshield Data Security solution, our decryption implementation allows us to not be impacted by these vulnerabilities. Within SDS Enterprise, our mail add-in, Stormshield Data Mail for Outlook, uses a special mechanism to decrypt S/MIME and OpenPGP encryption tools, and is therefore not vulnerable to direct exfiltration or CBC/CFB Gadget Attacks.
Full security advisory from our teams available on our website: advisories.stormshield.eu. And for more information on vulnerabilities, visit the dedicated website.
