CVE-2017-17688
Summary
| CVE | CVE-2017-17688 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-05-16 19:29:00 UTC |
| Updated | 2023-11-07 02:41:00 UTC |
| Description | ** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apple | - | All | All | All | |
| Application | Apple | - | All | All | All | |
| Application | Apple | - | All | All | All | |
| Application | Apple | - | All | All | All | |
| Application | Bloop | Airmail | - | All | All | All |
| Application | Bloop | Airmail | - | All | All | All |
| Application | Emclient | Emclient | - | All | All | All |
| Application | Emclient | Emclient | - | All | All | All |
| Application | Flipdogsolutions | Maildroid | - | All | All | All |
| Application | Flipdogsolutions | Maildroid | - | All | All | All |
| Application | Freron | Mailmate | - | All | All | All |
| Application | Freron | Mailmate | - | All | All | All |
| Application | Horde | Horde Imp | - | All | All | All |
| Application | Horde | Horde Imp | - | All | All | All |
| Application | Microsoft | Outlook | 2007 | All | All | All |
| Application | Microsoft | Outlook | 2007 | All | All | All |
| Application | Mozilla | Thunderbird | - | All | All | All |
| Application | Mozilla | Thunderbird | - | All | All | All |
| Application | Postbox-inc | Postbox | - | All | All | All |
| Application | Postbox-inc | Postbox | - | All | All | All |
| Application | R2mail2 | R2mail2 | - | All | All | All |
| Application | R2mail2 | R2mail2 | - | All | All | All |
| Application | Roundcube | Webmail | - | All | All | All |
| Application | Roundcube | Webmail | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| A Unified Timeline | MISC | flaked.sockpuppet.org | Third Party Advisory |
| OpenPGP CFB Mode Authentication Flaw Lets Remote Users Decrypt and Obtain Potentially Sensitive Information from the Target User's Email Client - SecurityTracker | SECTRACK | www.securitytracker.com | Third Party Advisory, VDB Entry |
| EFAIL | MISC | efail.de | Exploit, Mitigation, Third Party Advisory |
| Cybersecurity Roundup: May 15, 2018 | Violet Blue on Patreon | MISC | www.patreon.com | Issue Tracking, Third Party Advisory |
| Matthew Green na Twitterze: "So in summary, PGP clients are vulnerable because 17 years after a vulnerability was known, the mitigation was not made a default in GnuPG and defense was instead “left to PGP clients”, which also make a convenient scapegoat when it goes pear-shaped. 12/" | MISC | twitter.com | Third Party Advisory |
| No, PGP is not broken, not even with the Efail vulnerabilities - ProtonMail Blog | MISC | protonmail.com | Issue Tracking, Third Party Advisory |
| Let's summarize the situation: Abstract: S/MIME and MUAs are broken. OpenPGP (... | Hacker News | MISC | news.ycombinator.com | Issue Tracking, Third Party Advisory |
| Synology Inc. | CONFIRM | www.synology.com | Third Party Advisory |
| OpenPGP CVE-2017-17688 Man In The Middle Information Disclosure Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Efail press release | MISC | lists.gnupg.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.