Details of VAR-201805-0227

ID

VAR-201805-0227

CVE

CVE-2017-17688

TITLE

OpenPGP and S/MIME mail client vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#122919

DESCRIPTION

The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification. In multiple mail clients OpenPGP and S/MIME A plaintext message may be leaked when decrypting the message. OpenPGP and S/MIME For e-mail clients that support, it is possible to establish a channel for sending plaintext by decrypting encrypted e-mail inserted with content crafted by an attacker with the user's e-mail client. The discoverer can attack with this vulnerability "CBC/CFB gadget attack" I call it. For example HTML image By inserting a tag, the decrypted message is HTTP It may be sent as part of the request. * *CVE-2017-17688: OpenPGP CFB Attacks * *CVE-2017-17689: S/MIME CBC Attacks Some email clients also use multipart MIME Because the message is not properly separated and processed, attackers can process encrypted mail in plain text. MIME It can be included in the part. in this case, CBC/CFB gadget attack The plaintext message may be sent without executing. Detail is, <a href="https://efail.de/efail-attack-paper.pdf" target="blank"> Articles provided by the discoverer </a> Please refer to.A remote attacker may obtain plaintext from encrypted mail without the key information required for decryption. OpenPGP is prone to an information disclosure vulnerability. An attacker can exploit this issue to perform man-in-the-middle attacks and obtain sensitive information. Successful exploits will lead to other attacks. OpenPGP is a set of email encryption standards that supports multiple platforms

Trust: 2.79

sources: NVD: CVE-2017-17688 // CERT/CC: VU#122919 // JVNDB: JVNDB-2017-012995 // BID: 104162 // VULHUB: VHN-108735 // VULMON: CVE-2017-17688

AFFECTED PRODUCTS

vendor:	roundcube	model:	webmail	scope:	eq	version:	-	Trust: 1.6
vendor:	bloop	model:	airmail	scope:	eq	version:	-	Trust: 1.0
vendor:	freron	model:	mailmate	scope:	eq	version:	-	Trust: 1.0
vendor:	horde	model:	imp	scope:	eq	version:	-	Trust: 1.0
vendor:	flipdogsolutions	model:	maildroid	scope:	eq	version:	-	Trust: 1.0
vendor:	r2mail2	model:	r2mail2	scope:	eq	version:	-	Trust: 1.0
vendor:	emclient	model:	emclient	scope:	eq	version:	-	Trust: 1.0
vendor:	apple	model:	mail	scope:	eq	version:	-	Trust: 1.0
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	-	Trust: 1.0
vendor:	microsoft	model:	outlook	scope:	eq	version:	2007	Trust: 1.0
vendor:	postbox	model:	postbox	scope:	eq	version:	-	Trust: 1.0
vendor:	9folders	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	airmail	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	apple	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	evolution	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	flipdog	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	gpgtools	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	gnupg	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	google	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	kmail	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	mailmate	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	microsoft	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	mozilla	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	postbox	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	r2mail2	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ritlabs srl	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	roundcube	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	the enigmail	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	the horde	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	trojita	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	em client	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	multiple vendors	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	roundcube	model:	round cube webmail	scope:	eq	version:	0	Trust: 0.3
vendor:	r2mail2	model:	r2mail2	scope:	eq	version:	0	Trust: 0.3
vendor:	postbox	model:	postbox	scope:	eq	version:	0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.5.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.5.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.1.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.1.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	16.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	15.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	13.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	12.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.20	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.14	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.13	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.12	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.11	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.024	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.19	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.17	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.16	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.15	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.14	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.13	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.12	Trust: 0.3
vendor:	mozilla	model:	thunderbird beta	scope:	eq	version:	1.52	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.13	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.7.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.7.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.7.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	9.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	9.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	8.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	7.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	7.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	6.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	6.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	6.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	5.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	38.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	32.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.1.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.1.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.1.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.19	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.18	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.17	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.16	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.15	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.11	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.10	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.10	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.8.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	23.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.23	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.22	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.21	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.20	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.18	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.11	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	16.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	16.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	16	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	15.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	15	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	14.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	14	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	13.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	12.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	11.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	11.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	10.0.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	10.0.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	10.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	10.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	10.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.14	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.12	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.10	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird beta	scope:	eq	version:	1.0.5	Trust: 0.3
vendor:	microsoft	model:	outlook	scope:	eq	version:	20070	Trust: 0.3
vendor:	horde	model:	project horde imp	scope:	eq	version:	0	Trust: 0.3
vendor:	flipdog	model:	solutions maildroid	scope:	eq	version:	0	Trust: 0.3
vendor:	enigmail	model:	enigmail	scope:	eq	version:	0	Trust: 0.3
vendor:	em	model:	client em client	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	mail	scope:	-	version:	-	Trust: 0.3
vendor:	airmail	model:	airmail	scope:	eq	version:	0	Trust: 0.3

sources: CERT/CC: VU#122919 // BID: 104162 // JVNDB: JVNDB-2017-012995 // CNNVD: CNNVD-201712-725 // NVD: CVE-2017-17688

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-17688
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-201712-725
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-108735
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-17688
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-17688
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-108735
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-17688
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	3.6
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-108735 // VULMON: CVE-2017-17688 // CNNVD: CNNVD-201712-725 // NVD: CVE-2017-17688

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-310	Trust: 0.1

sources: VULHUB: VHN-108735 // NVD: CVE-2017-17688

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-725

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201712-725

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012995

PATCH

title:	Debian CVElist Bug Report Logs: enigmail: efail attack against enigmail	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=56a8018aac811c8d81b81ef5a6c3623a	Trust: 0.1
title:	Red Hat: CVE-2017-17688	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2017-17688	Trust: 0.1
title:	Efail-malleability-gadget-exploit	url:	https://github.com/jaads/Efail-malleability-gadget-exploit	Trust: 0.1
title:	more Boring bugs	url:	https://github.com/hannob/pgpbugs	Trust: 0.1
title:	SecDB - Security Feeds	url:	https://github.com/giterlizzi/secdb-feeds	Trust: 0.1
title:	The Register	url:	https://www.theregister.co.uk/2018/05/14/smime_pgp_encryption_flaw_emails_vulnerable_to_snooping/	Trust: 0.1

sources: VULMON: CVE-2017-17688

EXTERNAL IDS

db:	NVD	id:	CVE-2017-17688	Trust: 2.9
db:	BID	id:	104162	Trust: 2.1
db:	CERT/CC	id:	VU#122919	Trust: 2.0
db:	SECTRACK	id:	1040904	Trust: 1.8
db:	JVN	id:	JVNVU95575473	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-012995	Trust: 0.8
db:	CNNVD	id:	CNNVD-201712-725	Trust: 0.7
db:	VULHUB	id:	VHN-108735	Trust: 0.1
db:	VULMON	id:	CVE-2017-17688	Trust: 0.1

sources: CERT/CC: VU#122919 // VULHUB: VHN-108735 // VULMON: CVE-2017-17688 // BID: 104162 // JVNDB: JVNDB-2017-012995 // CNNVD: CNNVD-201712-725 // NVD: CVE-2017-17688

REFERENCES

url:	https://efail.de/	Trust: 1.9
url:	http://www.securityfocus.com/bid/104162	Trust: 1.8
url:	https://www.synology.com/support/security/synology_sa_18_22	Trust: 1.8
url:	http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html	Trust: 1.8
url:	https://efail.de	Trust: 1.8
url:	https://lists.gnupg.org/pipermail/gnupg-users/2018-may/060334.html	Trust: 1.8
url:	https://news.ycombinator.com/item?id=17066419	Trust: 1.8
url:	https://protonmail.com/blog/pgp-vulnerability-efail	Trust: 1.8
url:	https://twitter.com/matthew_d_green/status/995996706457243648	Trust: 1.8
url:	https://www.patreon.com/posts/cybersecurity-15-18814817	Trust: 1.8
url:	http://www.securitytracker.com/id/1040904	Trust: 1.8
url:	https://efail.de/efail-attack-paper.pdf	Trust: 1.6
url:	https://www.kb.cert.org/vuls/id/122919	Trust: 1.2
url:	https://tools.ietf.org/html/rfc4880	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17689	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17688	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu95575473/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-17689	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-17688	Trust: 0.8
url:	https://www.openpgp.org/	Trust: 0.3
url:	https://bugzilla.redhat.com/show_bug.cgi?id=1577906	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2017-17688	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898630	Trust: 0.1
url:	https://github.com/jaads/efail-malleability-gadget-exploit	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CERT/CC: VU#122919 // VULHUB: VHN-108735 // VULMON: CVE-2017-17688 // BID: 104162 // JVNDB: JVNDB-2017-012995 // CNNVD: CNNVD-201712-725 // NVD: CVE-2017-17688

CREDITS

Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jorg Schwenk.

Trust: 0.3

sources: BID: 104162

SOURCES

db:	CERT/CC	id:	VU#122919
db:	VULHUB	id:	VHN-108735
db:	VULMON	id:	CVE-2017-17688
db:	BID	id:	104162
db:	JVNDB	id:	JVNDB-2017-012995
db:	CNNVD	id:	CNNVD-201712-725
db:	NVD	id:	CVE-2017-17688

LAST UPDATE DATE

2024-11-23T20:04:06.356000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#122919	date:	2018-05-15T00:00:00
db:	VULHUB	id:	VHN-108735	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2017-17688	date:	2023-11-07T00:00:00
db:	BID	id:	104162	date:	2018-05-15T10:00:00
db:	JVNDB	id:	JVNDB-2017-012995	date:	2018-08-30T00:00:00
db:	CNNVD	id:	CNNVD-201712-725	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-17688	date:	2024-11-21T03:18:27.723

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#122919	date:	2018-05-14T00:00:00
db:	VULHUB	id:	VHN-108735	date:	2018-05-16T00:00:00
db:	VULMON	id:	CVE-2017-17688	date:	2018-05-16T00:00:00
db:	BID	id:	104162	date:	2018-05-14T00:00:00
db:	JVNDB	id:	JVNDB-2017-012995	date:	2018-05-16T00:00:00
db:	CNNVD	id:	CNNVD-201712-725	date:	2017-12-18T00:00:00
db:	NVD	id:	CVE-2017-17688	date:	2018-05-16T19:29:00.223