Details of VAR-201805-0228

ID

VAR-201805-0228

CVE

CVE-2017-17689

TITLE

OpenPGP and S/MIME mail client vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#122919

DESCRIPTION

The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. In multiple mail clients OpenPGP and S/MIME A plaintext message may be leaked when decrypting the message. OpenPGP and S/MIME For e-mail clients that support, it is possible to establish a channel for sending plaintext by decrypting encrypted e-mail inserted with content crafted by an attacker with the user's e-mail client. The discoverer can attack with this vulnerability "CBC/CFB gadget attack" I call it. For example HTML image By inserting a tag, the decrypted message is HTTP It may be sent as part of the request. * *CVE-2017-17688: OpenPGP CFB Attacks * *CVE-2017-17689: S/MIME CBC Attacks Some email clients also use multipart MIME Because the message is not properly separated and processed, attackers can process encrypted mail in plain text. MIME It can be included in the part. in this case, CBC/CFB gadget attack The plaintext message may be sent without executing. Detail is, <a href="https://efail.de/efail-attack-paper.pdf" target="blank"> Articles provided by the discoverer </a> Please refer to.A remote attacker may obtain plaintext from encrypted mail without the key information required for decryption. An attacker can exploit this issue to perform man-in-the-middle attacks and obtain sensitive information. Successful exploits will lead to other attacks. S/MIME is a certificate implementation for email encryption. A security vulnerability exists in S/MIME. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4244-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 13, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2017-17689 CVE-2018-5188 CVE-2018-12359 CVE-2018-12360 CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366 CVE-2018-12372 CVE-2018-12373 CVE-2018-12374 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails. For the stable distribution (stretch), these problems have been fixed in version 1:52.9.1-1~deb9u1. We recommend that you upgrade your thunderbird packages. For the detailed security status of thunderbird please refer to its security tracker page at: https://security-tracker.debian.org/tracker/thunderbird Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAltI+2sACgkQEMKTtsN8 TjZXHRAAgOmSvTwwmmzxRH/4tSSpndZCFCtkHrG5PU5D3XesLGnWpNZk9aINsaU2 ih3fmEKzQgHHfAzK3d9TcGjyiI+PoVuWkVknsVqTrHd+xQtxUs7B/5Pfz5WKiYDJ QJ4NhjTgHHystYa0j2CvK28/ZoPVZgwnc/D051ChTInPWXimJI+TxpsndW/NPuaJ SphoPP34OMO2EARjrKCxiL6NRv6kD4CJv0AgoYfdO0qPXomuA8HpDAH1itd7GbRq yVJoZRnpz9dGjJSM5wyFCc1BIqmA/CMphhmqiRTuFBA+rOSEDblzfc2tg9t82CVQ caA7rF3VrYx8qmgpP3akCju+SDOEWLerFGHH1iaQ+GBqiXvduvMl/MSXCZmVZzIC 92Ko2m9kURkak4yKccEbHJ5Vh8i0oLUOc+Ee3MUUfWUblYbCcB4z34p9hRwc8u83 mmGUbsq+qWvdcd9NkekKC/ENQZt4Egb3doeEzqSkaa4uhFaQ1gGosHXGslNTCqLl 6RyeFON9Q5CWphQET+rmnlcJ8B1cSHgpG1ZTN6szlsQpiVgcRu/JYrgyzX9Y6WdY rAape6t+gsEeLOP7n9pZ/KYSadUF5CvYY/nX9H6kJO1RmG9y0A+8wAEuW+nSOMMJ vh2U09+y5XJHQqV0MMTKbnadxlyi8Oerc0zrYaoBuYhR7wmvkus= =R2OH -----END PGP SIGNATURE-----

Trust: 2.88

sources: NVD: CVE-2017-17689 // CERT/CC: VU#122919 // JVNDB: JVNDB-2017-012995 // BID: 104165 // VULHUB: VHN-108736 // VULMON: CVE-2017-17689 // PACKETSTORM: 148553

AFFECTED PRODUCTS

vendor:	ritlabs	model:	the bat	scope:	eq	version:	-	Trust: 1.6
vendor:	microsoft	model:	outlook	scope:	eq	version:	2013	Trust: 1.3
vendor:	kde	model:	trojita	scope:	eq	version:	-	Trust: 1.0
vendor:	emclient	model:	emclient	scope:	eq	version:	-	Trust: 1.0
vendor:	microsoft	model:	outlook	scope:	eq	version:	2016	Trust: 1.0
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	-	Trust: 1.0
vendor:	gnome	model:	evolution	scope:	eq	version:	-	Trust: 1.0
vendor:	bloop	model:	airmail	scope:	eq	version:	-	Trust: 1.0
vendor:	freron	model:	mailmate	scope:	eq	version:	-	Trust: 1.0
vendor:	kde	model:	kmail	scope:	eq	version:	-	Trust: 1.0
vendor:	microsoft	model:	outlook	scope:	eq	version:	2010	Trust: 1.0
vendor:	horde	model:	imp	scope:	eq	version:	-	Trust: 1.0
vendor:	9folders	model:	nine	scope:	eq	version:	-	Trust: 1.0
vendor:	flipdogsolutions	model:	maildroid	scope:	eq	version:	-	Trust: 1.0
vendor:	r2mail2	model:	r2mail2	scope:	eq	version:	-	Trust: 1.0
vendor:	apple	model:	mail	scope:	eq	version:	-	Trust: 1.0
vendor:	ibm	model:	notes	scope:	eq	version:	-	Trust: 1.0
vendor:	microsoft	model:	outlook	scope:	eq	version:	2007	Trust: 1.0
vendor:	postbox	model:	postbox	scope:	eq	version:	-	Trust: 1.0
vendor:	google	model:	gmail	scope:	eq	version:	-	Trust: 1.0
vendor:	9folders	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	airmail	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	apple	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	evolution	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	flipdog	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	gpgtools	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	gnupg	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	google	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	kmail	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	mailmate	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	microsoft	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	mozilla	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	postbox	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	r2mail2	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ritlabs srl	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	roundcube	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	the enigmail	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	the horde	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	trojita	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	em client	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	multiple vendors	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	r2mail2	model:	r2mail2	scope:	eq	version:	0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.5.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.5.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.1.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.1.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	16.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	15.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	13.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	12.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.20	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.14	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.13	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.12	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.11	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.024	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.19	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.17	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.16	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.15	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.14	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.13	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.12	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.7.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.7.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.7.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	0.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	7.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	52	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	45.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	38.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	32.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.1.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.1.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.1.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	31	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.19	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.18	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.17	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.16	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.15	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.11	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.10	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0.10	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	3.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.8.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.6	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	24.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	23.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.23	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.22	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.21	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.20	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.18	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	2.0.0.11	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.9	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	17.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	16.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	16.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	16	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	15.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	15	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	14.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	14	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	13.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	12.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	11.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	11.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	10.0.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	10.0.3	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	10.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	10.0.1	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	10.0	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.8	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.7	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.5	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.4	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.2	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.14	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.12	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.10	Trust: 0.3
vendor:	mozilla	model:	thunderbird	scope:	eq	version:	1.5.0.1	Trust: 0.3
vendor:	microsoft	model:	outlook	scope:	eq	version:	20100	Trust: 0.3
vendor:	microsoft	model:	outlook	scope:	eq	version:	20070	Trust: 0.3
vendor:	kde	model:	kmail	scope:	-	version:	-	Trust: 0.3
vendor:	ibm	model:	lotus inotes	scope:	eq	version:	-	Trust: 0.3
vendor:	google	model:	gmail for ios	scope:	eq	version:	0	Trust: 0.3
vendor:	freron	model:	mailmate	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	mail	scope:	-	version:	-	Trust: 0.3
vendor:	airmail	model:	airmail	scope:	eq	version:	0	Trust: 0.3

sources: CERT/CC: VU#122919 // BID: 104165 // JVNDB: JVNDB-2017-012995 // CNNVD: CNNVD-201712-724 // NVD: CVE-2017-17689

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-17689
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-201712-724
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-108736
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-17689
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-17689
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-108736
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-17689
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	3.6
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-108736 // VULMON: CVE-2017-17689 // CNNVD: CNNVD-201712-724 // NVD: CVE-2017-17689

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-310	Trust: 0.1

sources: VULHUB: VHN-108736 // NVD: CVE-2017-17689

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-724

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201712-724

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012995

PATCH

title:	Red Hat: CVE-2017-17689	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2017-17689	Trust: 0.1
title:	Efail-malleability-gadget-exploit	url:	https://github.com/jaads/Efail-malleability-gadget-exploit	Trust: 0.1
title:	SecDB - Security Feeds	url:	https://github.com/giterlizzi/secdb-feeds	Trust: 0.1
title:	The Register	url:	https://www.theregister.co.uk/2018/05/14/smime_pgp_encryption_flaw_emails_vulnerable_to_snooping/	Trust: 0.1

sources: VULMON: CVE-2017-17689

EXTERNAL IDS

db:	NVD	id:	CVE-2017-17689	Trust: 3.0
db:	BID	id:	104165	Trust: 2.1
db:	CERT/CC	id:	VU#122919	Trust: 2.0
db:	JVN	id:	JVNVU95575473	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-012995	Trust: 0.8
db:	CNNVD	id:	CNNVD-201712-724	Trust: 0.7
db:	PACKETSTORM	id:	148553	Trust: 0.2
db:	VULHUB	id:	VHN-108736	Trust: 0.1
db:	VULMON	id:	CVE-2017-17689	Trust: 0.1

sources: CERT/CC: VU#122919 // VULHUB: VHN-108736 // VULMON: CVE-2017-17689 // BID: 104165 // JVNDB: JVNDB-2017-012995 // PACKETSTORM: 148553 // CNNVD: CNNVD-201712-724 // NVD: CVE-2017-17689

REFERENCES

url:	https://efail.de/	Trust: 1.9
url:	https://efail.de/efail-attack-paper.pdf	Trust: 1.9
url:	http://www.securityfocus.com/bid/104165	Trust: 1.8
url:	https://www.synology.com/support/security/synology_sa_18_22	Trust: 1.8
url:	https://efail.de	Trust: 1.8
url:	https://news.ycombinator.com/item?id=17066419	Trust: 1.8
url:	https://pastebin.com/gncc8aym	Trust: 1.8
url:	https://twitter.com/matthew_d_green/status/996371541591019520	Trust: 1.8
url:	https://www.kb.cert.org/vuls/id/122919	Trust: 1.2
url:	https://nvd.nist.gov/vuln/detail/cve-2017-17689	Trust: 0.9
url:	https://tools.ietf.org/html/rfc4880	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17689	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17688	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu95575473/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-17688	Trust: 0.8
url:	https://bugzilla.redhat.com/show_bug.cgi?id=1577909	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2017-17689	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://github.com/jaads/efail-malleability-gadget-exploit	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12362	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12360	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12363	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12365	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12373	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-5188	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12366	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12372	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12374	Trust: 0.1
url:	https://www.debian.org/security/faq	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12364	Trust: 0.1
url:	https://www.debian.org/security/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12359	Trust: 0.1
url:	https://security-tracker.debian.org/tracker/thunderbird	Trust: 0.1

CREDITS

Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian Schinzel1, Simon Friedberger, Juraj Somorovsky, and Jorg Schwenk

Trust: 0.3

sources: BID: 104165

SOURCES

db:	CERT/CC	id:	VU#122919
db:	VULHUB	id:	VHN-108736
db:	VULMON	id:	CVE-2017-17689
db:	BID	id:	104165
db:	JVNDB	id:	JVNDB-2017-012995
db:	PACKETSTORM	id:	148553
db:	CNNVD	id:	CNNVD-201712-724
db:	NVD	id:	CVE-2017-17689

LAST UPDATE DATE

2024-11-23T20:59:49.596000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#122919	date:	2018-05-15T00:00:00
db:	VULHUB	id:	VHN-108736	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2017-17689	date:	2019-10-03T00:00:00
db:	BID	id:	104165	date:	2018-05-14T00:00:00
db:	JVNDB	id:	JVNDB-2017-012995	date:	2018-08-30T00:00:00
db:	CNNVD	id:	CNNVD-201712-724	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-17689	date:	2024-11-21T03:18:27.893

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#122919	date:	2018-05-14T00:00:00
db:	VULHUB	id:	VHN-108736	date:	2018-05-16T00:00:00
db:	VULMON	id:	CVE-2017-17689	date:	2018-05-16T00:00:00
db:	BID	id:	104165	date:	2018-05-14T00:00:00
db:	JVNDB	id:	JVNDB-2017-012995	date:	2018-05-16T00:00:00
db:	PACKETSTORM	id:	148553	date:	2018-07-14T12:12:00
db:	CNNVD	id:	CNNVD-201712-724	date:	2017-12-18T00:00:00
db:	NVD	id:	CVE-2017-17689	date:	2018-05-16T19:29:00.303