Full Disclosure mailing list archives
OpenPGP and S/MIME signature forgery attacks in multiple email clients
From: Jens Müller via Fulldisclosure <fulldisclosure () seclists org>
Date: Tue, 30 Apr 2019 14:33:59 +0200
In the scope of academic research at Ruhr-University Bochum and Münster University of Applied Sciences, Germany, various vulnerabilities regarding the signature verification logic in OpenPGP and S/MIME capable email clients have been discovered. While neither OpenPGP nor S/MIME are directly affected, email client implementations show a poor performance. Popular clients such as Apple Mail or Thunderbird are vulnerable to signature spoofing on multiple layers (attack classes). *Abstract:* OpenPGP and S/MIME are the two major standards to encrypt and digitally sign emails. Digital signatures are supposed to guarantee authenticity and integrity of messages. In this work we show practical forgery attacks against various implementations of OpenPGP and S/MIME email signature verification in five attack classes: (1) We analyze edge cases in S/MIME's container format. (2) We exploit in-band signaling in the GnuPG API, the most widely used OpenPGP implementation. (3) We apply MIME wrapping attacks that abuse the email clients' handling of partially signed messages. (4) We analyze weaknesses in the binding of signed messages to the sender identity. (5) We systematically test email clients for UI redressing attacks. Our attacks allow the spoofing of digital signatures for arbitrary messages in 14 out of 20 tested OpenPGP-capable email clients and 15 out of 22 email clients supporting S/MIME signatures. While the attacks do not target the underlying cryptographic primitives of digital signatures, they raise concerns about the actual security of OpenPGP and S/MIME email applications. Finally, we propose mitigation strategies to counter these attacks. *Affected clients:* The following email clients -- with S/MIME support or PGP plugins -- are fully or partially vulnerable. While most issues are patched now, some email clients remain vulnerable, especially to minor issues. Thunderbird (52.5.2), Outlook/GpgOL (16.0.4266), The Bat! (8.2.0), eM Client (7.1.31849), Postbox (5.0.20), KMail (5.2.3), Evolution (3.22.6), Trojitá (0.7-278), Apple Mail (11.2), MailMate (1.10), Airmail (3.5.3), K-9 Mail (5.403), R2Mail2 (2.30), MailDroid (4.81), Nine (4.1.3a), Roundcube (1.3.4), Mailpile (1.0.0rc2) *Resulting CVEs:* CVE-2018-18509, CVE-2018-12019, CVE-2018-12020, CVE-2017-17848, CVE-2018-15586, CVE-2018-15587, CVE-2018-15588, CVE-2019-8338, CVE-2018-12356, CVE-2018-12556, CVE-2019-728 *Paper and Exploits:* - Full paper (to be published at USENIX Security '19): https://github.com/RUB-NDS/Johnny-You-Are-Fired/raw/master/paper/johnny-fired.pdf - Artifacts (.eml testcases to check your own client): https://github.com/RUB-NDS/Johnny-You-Are-Fired - BSI / CERT Bund press release (German only): https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Signaturfaelschungen-300419.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- OpenPGP and S/MIME signature forgery attacks in multiple email clients Jens Müller via Fulldisclosure (Apr 30)