SB2018052411 - SUSE Linux update for enigmail
Published: May 24, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2017-17688)
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to improper access controls. A remote attacker with access to a target user's PGP encrypted email message can exploit a property of Cipher Feedback Mode (CFB) by modifying known plaintext blocks (such as MIME headers). When the target user decrypts and views the modified email message, the target user's mail client will parse the resulting modified HTML content and disclose the original plaintext to a remote URL.
This exploit is the "CFB gadget" attack method of the vulnerability referred to as "EFAIL".
Various email clients or email client plugins that use OpenPGP or implement the PGP standard are affected.
2) Information disclosure (CVE-ID: CVE-2017-17689)
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to improper access controls. A remote attacker with access to a target user's S/MIME encrypted email message can exploit a property of Cipher Feedback Mode (CFB) by modifying known plaintext blocks (such as MIME headers). When the target user decrypts and views the modified email message, the target user's mail client will parse the resulting modified HTML content and disclose the original plaintext to a remote URL.
This exploit is the "CFB gadget" attack method of the vulnerability referred to as "EFAIL".
Remediation
Install update from vendor's website.