Vulnerability Description
The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | - | |
| Bloop | Airmail | - |
| Emclient | Emclient | - |
| Flipdogsolutions | Maildroid | - |
| Freron | Mailmate | - |
| Horde | Horde Imp | - |
| Microsoft | Outlook | 2007 |
| Mozilla | Thunderbird | - |
| Postbox-Inc | Postbox | - |
| R2Mail2 | R2Mail2 | - |
| Roundcube | Webmail | - |
References
- http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.htmlThird Party Advisory
- http://www.securityfocus.com/bid/104162Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1040904Third Party AdvisoryVDB Entry
- https://efail.deExploitMitigationThird Party Advisory
- https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.htmlThird Party Advisory
- https://news.ycombinator.com/item?id=17066419Issue TrackingThird Party Advisory
- https://protonmail.com/blog/pgp-vulnerability-efailIssue TrackingThird Party Advisory
- https://twitter.com/matthew_d_green/status/995996706457243648Third Party Advisory
- https://www.patreon.com/posts/cybersecurity-15-18814817Issue TrackingThird Party Advisory
- https://www.synology.com/support/security/Synology_SA_18_22Third Party Advisory
- http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.htmlThird Party Advisory
- http://www.securityfocus.com/bid/104162Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1040904Third Party AdvisoryVDB Entry
- https://efail.deExploitMitigationThird Party Advisory
- https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.htmlThird Party Advisory
FAQ
What is CVE-2017-17688?
CVE-2017-17688 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a proble...
How severe is CVE-2017-17688?
CVE-2017-17688 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17688?
Check the references section above for vendor advisories and patch information. Affected products include: Apple Mail, Bloop Airmail, Emclient Emclient, Flipdogsolutions Maildroid, Freron Mailmate.