'[FD] OpenPGP and S/MIME signature forgery attacks in multiple email clients'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] OpenPGP and S/MIME signature forgery attacks in multiple email clients
From:       Jens_Müller via Fulldisclosure <fulldisclosure () seclists ! org>
Date:       2019-04-30 12:33:59
Message-ID: cfa7f507-b1ff-91ae-1841-68c18d505d90 () rub ! de
[Download RAW message or body]

In the scope of academic research at Ruhr-University Bochum and Münster
University of Applied Sciences, Germany, various vulnerabilities
regarding the signature verification logic in OpenPGP and S/MIME capable
email clients have been discovered.

While neither OpenPGP nor S/MIME are directly affected, email client
implementations show a poor performance. Popular clients such as Apple
Mail or Thunderbird are vulnerable to signature spoofing on multiple
layers (attack classes).

*Abstract:*

OpenPGP and S/MIME are the two major standards to encrypt and digitally
sign emails. Digital signatures are supposed to guarantee authenticity
and integrity of messages. In this work we show practical forgery
attacks against various implementations of OpenPGP and S/MIME email
signature verification in five attack classes: (1) We analyze edge cases
in S/MIME's container format. (2) We exploit in-band signaling in the
GnuPG API, the most widely used OpenPGP implementation. (3) We apply
MIME wrapping attacks that abuse the email clients' handling of
partially signed messages. (4) We analyze weaknesses in the binding of
signed messages to the sender identity. (5) We systematically test email
clients for UI redressing attacks.

Our attacks allow the spoofing of digital signatures for arbitrary
messages in 14 out of 20 tested OpenPGP-capable email clients and 15 out
of 22 email clients supporting S/MIME signatures. While the attacks do
not target the underlying cryptographic primitives of digital
signatures, they raise concerns about the actual security of OpenPGP and
S/MIME email applications. Finally, we propose mitigation strategies to
counter these attacks.

*Affected clients:*

The following email clients -- with S/MIME support or PGP plugins --
are fully or partially vulnerable. While most issues are patched now,
some email clients remain vulnerable, especially to minor issues.

Thunderbird (52.5.2), Outlook/GpgOL (16.0.4266), The Bat! (8.2.0), eM
Client (7.1.31849), Postbox (5.0.20), KMail (5.2.3), Evolution (3.22.6),
Trojitá (0.7-278), Apple Mail (11.2), MailMate (1.10), Airmail (3.5.3),
K-9 Mail (5.403), R2Mail2 (2.30), MailDroid (4.81), Nine (4.1.3a),
Roundcube (1.3.4), Mailpile (1.0.0rc2)

*Resulting CVEs:*

CVE-2018-18509, CVE-2018-12019, CVE-2018-12020, CVE-2017-17848,
CVE-2018-15586, CVE-2018-15587, CVE-2018-15588, CVE-2019-8338,
CVE-2018-12356, CVE-2018-12556, CVE-2019-728

*Paper and Exploits:*

- Full paper (to be published at USENIX Security '19):
https://github.com/RUB-NDS/Johnny-You-Are-Fired/raw/master/paper/johnny-fired.pdf
- Artifacts (.eml testcases to check your own client):
https://github.com/RUB-NDS/Johnny-You-Are-Fired
- BSI / CERT Bund press release (German only):
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Signaturfaelschungen-300419.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread] 