Malleability-Gadget Attack in OpenPGP Specification Affecting Supported Applications
CVE-2017-17688

5.9MEDIUM

Key Information:

Vendor
Microsoft
Status
Outlook
Horde Imp
Maildroid
R2mail2
Vendor
CVE Published:
16 May 2018

Summary

The OpenPGP specification is subjected to a malleability-gadget attack, which can lead to plaintext exfiltration in applications that mismanage the Modification Detection Code (MDC) feature or accept obsolete packet types. This vulnerability underscores the importance of proper handling of cryptographic standards to prevent unintended data exposure. Users should ensure their applications are updated to mitigate such issues.

References

https://protonmail.com/blog/pgp-vulnerability-efail
x_refsource_MISC
https://news.ycombinator.com/item?id=17066419
x_refsource_MISC
https://www.patreon.com/posts/cybersecurity-15-18814817
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.