A group of European security researchers has released a warning about a set of vulnerabilities affecting users of email encryption with PGP and S/MIME technologies. It is called "Efail" and it is currently a hot topic on the internet. So how does this affect eM Client?
Overview
We have been in contact with the researchers from Germany and Belgium that published the Efail Document and we worked closely with them to find a solution for the issues that do affect eM Client. We are happy to provide you with an update that handles the possible Efail attacks even though eM Client was not among the programs that were affected by the most dangerous Efail vulnerabilities. To all of the eM Client users, we recommend installing the latest update (link is available at the end of this article).
In a few days, we will start rolling out the update to all of our users.
What are these vulnerabilities all about?
Efail basically comes with two types of possible attacks. For both of them, the attacker must possess the encrypted message to be able to take advantage of the vulnerability.
-
Direct exfiltration
In this case, the attacker crafts a modified email from the original encrypted email, so that the encrypted part of the message is embedded into an image tag or other javascript or html construct, which will extract and send the full, decrypted message to a location designated by the attacker.
This type of vulnerability is not possible with eM Client, because we (unlike for example Outlook, Apple Mail or Thunderbird) handle multipart messages in a way that makes this attack impossible.
-
The CBC/CFB Gadget attack
This vulnerability is much more complex and is based on two steps.
In the first step, the attacker injects encrypted representation of his malicious code somewhere in the body of the email being shown.
This presumes that the attacker can guess a part of the unencrypted text of the original encrypted message, which may be rather easy with S/MIME (since most of the S/MIME messages begin with the same phrase) but is a bit harder with PGP.
It uses a sophisticated bit guessing based on vulnerabilities of CBC/CFB encoding mechanisms. The full explanation behind this is beyond this blog post and it is well described in the actual Efail paper (https://efail.de).
However, the attacker once again tries to inject the code that in the second step makes a call to his server with the message completely decrypted.
Efail paper calls these requests Exfiltration channels.
In eM Client they found three possible channels that may post some data to third-party (attacker) server.
We believe only one is relevant for a potentially successful attack in a version before our current patch.
Exfiltration channels
Here are the exfiltration channels Efail listed with eM Client.
-
Loading malformed CSS style tags
This attack injects this type of code:
<style>’<body/onload="..."><?/script>
We believe this is the only way how an Efail attack on an encrypted message could theoretically be achieved in eM Client.
We have fixed this issue immediately and this cannot happen in the current released version (or any future ones).
-
Http request for Favicon
We download Favicon images from sender domains to be able to show Avatars for these senders in the application.
This can be used by the attacker to find out which emails have been read by a recipient when he uses a crafted DNS server with a custom third-level domain.
We stopped making Http requests for third-level domains and avatar downloading can even be manually disabled completely in Menu > Tools > Settings > Contacts.
-
Request for an intermediate S/MIME certificate
This attack presumes that the attacker crafts an S/MIME certificate in a way that he modifies the intermediate certificate with his own URL. We stopped automatic downloading of these additional certificate URI.
Are you in danger?
For most of the use cases, you are just fine. Efail vulnerabilities presume that the attacker has already gotten access to your emails (by getting access to your mail server or by the Man in the middle attack) and is able to guess some parts of the original email.
However to be 100% sure we recommend installing the newest update that closes all the mentioned exfiltration channels which effectively prevents the attacker from getting the original message in any way.