Vulnerability Name:

CVE-2017-17688 (CCN-143326)

Assigned:2017-12-15
Published:2018-05-14
Updated:2019-10-03
Summary:** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
Note: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification.
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.9 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2017-17688

Source: MISC
Type: Third Party Advisory
http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html

Source: CCN
Type: US-CERT VU#122919
OpenPGP and S/MIME mail client vulnerabilities

Source: BID
Type: Third Party Advisory, VDB Entry
104162

Source: CCN
Type: BID-104162
OpenPGP CVE-2017-17688 Man In The Middle Information Disclosure Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1040904

Source: CCN
Type: Red Hat Bugzilla – Bug 1577906
(CVE-2017-17688) CVE-2017-17688 OpenPGP: CFB gadget attacks allows to exfiltrate plaintext out of encrypted emails

Source: MISC
Type: Exploit, Mitigation, Third Party Advisory
https://efail.de

Source: CCN
Type: EFAIL Web site
EFAIL

Source: XF
Type: UNKNOWN
openpgp-cve201717688-info-disc(143326)

Source: MISC
Type: Third Party Advisory
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://news.ycombinator.com/item?id=17066419

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://protonmail.com/blog/pgp-vulnerability-efail

Source: MISC
Type: Third Party Advisory
https://twitter.com/matthew_d_green/status/995996706457243648

Source: CCN
Type: OpenPGP Web site
OpenPGP

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://www.patreon.com/posts/cybersecurity-15-18814817

Source: CONFIRM
Type: Third Party Advisory
https://www.synology.com/support/security/Synology_SA_18_22

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apple:mail:-:*:*:*:*:*:*:*
  • OR cpe:/a:apple:mail:-:*:*:*:*:iphone_os:*:*
  • OR cpe:/a:bloop:airmail:-:*:*:*:*:*:*:*
  • OR cpe:/a:emclient:emclient:-:*:*:*:*:*:*:*
  • OR cpe:/a:flipdogsolutions:maildroid:-:*:*:*:*:*:*:*
  • OR cpe:/a:freron:mailmate:-:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_imp:-:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:outlook:2007:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:-:*:*:*:*:*:*:*
  • OR cpe:/a:postbox-inc:postbox:-:*:*:*:*:*:*:*
  • OR cpe:/a:r2mail2:r2mail2:-:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:outlook:2007:*:*:*:*:*:*:*
  • OR cpe:/a:apple:mail:*:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:24.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:17.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:45.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:52.5.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:654
    P
    		Security update for go1.18 (Important) (in QA)
    2022-10-05
    oval:org.opensuse.security:def:201717688
    V
    		CVE-2017-17688
    2022-09-02
    oval:org.opensuse.security:def:3553
    P
    		libXRes1-1.0.7-3.53 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:1702
    P
    		Security update for salt (Important)
    2022-06-24
    oval:org.opensuse.security:def:95183
    P
    		enigmail-2.2.4-3.27.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:112190
    P
    		enigmail-2.2.4-1.4 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105722
    P
    		Security update for apache2 (Important) (in QA)
    2022-01-10
    oval:org.opensuse.security:def:1146
    P
    		Security update for log4j12 (Important)
    2021-12-17
    oval:org.opensuse.security:def:1741
    P
    		Security update for the Linux Kernel (Important)
    2021-11-11
    oval:org.opensuse.security:def:66942
    P
    		Security update for the Linux Kernel (Important)
    2021-10-12
    oval:org.opensuse.security:def:64774
    P
    		Security update for curl (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:1782
    P
    		Security update for ffmpeg (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:70298
    P
    		Security update for grilo (Important)
    2021-10-06
    oval:org.opensuse.security:def:71361
    P
    		perl-5.26.1-7.6.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:47682
    P
    		libXrandr2-1.5.0-6.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47628
    P
    		gpg2-2.0.24-9.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48089
    P
    		libXvnc1-1.6.0-22.7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47803
    P
    		libvirglrenderer0-0.5.0-11.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48181
    P
    		libpython3_4m1_0-3.4.6-25.29.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47996
    P
    		dracut-044.2-15.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47667
    P
    		libQt5Concurrent5-5.6.2-6.12.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48329
    P
    		ucode-intel-20191112-1.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48128
    P
    		libipa_hbac0-1.16.1-4.17.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48220
    P
    		libvpx1-1.3.0-3.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47629
    P
    		gpgme-1.5.1-1.11 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47643
    P
    		hplip-3.16.11-1.33 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47764
    P
    		libpng12-0-1.2.50-19.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47668
    P
    		libQt5WebKit5-5.6.2-1.31 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47957
    P
    		augeas-1.10.1-2.6 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:1107
    P
    		libpcre2-16-0-10.31-1.14 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101029
    P
    		opie-32bit-2.4-1.96 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:68021
    P
    		Security update for the Linux Kernel (Important)
    2021-07-21
    oval:org.opensuse.security:def:66850
    P
    		Security update for qemu (Moderate)
    2021-06-30
    oval:org.opensuse.security:def:63533
    P
    		enigmail-2.0.5-1.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48689
    P
    		libpolkit0-32bit-0.112-2.189 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:2444
    P
    		enigmail-2.0.5-1.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48754
    P
    		pulseaudio-module-bluetooth-5.0-2.7 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48785
    P
    		libIlmImf-Imf_2_1-21-32bit-2.1.0-4.5 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48728
    P
    		kernel-default-extra-3.12.49-11.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48543
    P
    		libpython3_4m1_0-3.4.1-12.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48856
    P
    		libid3tag0-0.15.1b-182.58 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48793
    P
    		libmysqlclient_r18-10.0.27-12.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48627
    P
    		stunnel-5.00-3.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48368
    P
    		apache2-2.4.23-14.7 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48824
    P
    		bash-lang-4.3-82.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48582
    P
    		openslp-2.0.0-11.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48895
    P
    		bogofilter-1.2.4-5.3 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48666
    P
    		cyrus-sasl-digestmd5-32bit-2.1.26-7.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:73633
    P
    		Security update for python-httplib2 (Moderate)
    2021-05-31
    oval:org.opensuse.security:def:64687
    P
    		Security update for dtc (Low)
    2021-05-13
    oval:org.opensuse.security:def:71474
    P
    		ecryptfs-utils-111-2.31 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:94316
    P
    		enigmail-2.1.5-3.22.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63572
    P
    		enigmail-2.0.9-3.13.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:2483
    P
    		enigmail-2.0.9-3.13.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:117210
    P
    		enigmail-2.1.5-3.22.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63613
    P
    		enigmail-2.1.5-3.22.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:103756
    P
    		enigmail-2.0.9-3.13.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:2524
    P
    		enigmail-2.1.5-3.22.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:90101
    P
    		enigmail-2.0.9-3.13.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:107695
    P
    		enigmail-2.1.5-3.22.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:25732
    P
    		Security update for qemu (Important)
    2020-12-01
    oval:org.opensuse.security:def:25605
    P
    		Security update for MozillaFirefox (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25441
    P
    		Security update for dhcp (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50089
    P
    		postgresql-contrib on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25746
    P
    		Security update for openssl-1_1 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:24989
    P
    		Security update for bzip2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:50143
    P
    		enigmail on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25017
    P
    		Security update for ceph (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25591
    P
    		Security update for python (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25790
    P
    		Security update for flash-player (Important)
    2020-12-01
    oval:org.opensuse.security:def:25053
    P
    		Security update for libunwind (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25644
    P
    		Security update for taglib (Low)
    2020-12-01
    oval:org.opensuse.security:def:50128
    P
    		apache2-mod_php7 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:73515
    P
    		nasm on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25180
    P
    		Security update for file-roller (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25028
    P
    		Security update for djvulibre (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50182
    P
    		enigmail on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25261
    P
    		Security update for python-cffi, python-cryptography (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25092
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:68121
    P
    		enigmail on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26424
    P
    		Security update for enigmail (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50169
    P
    		pidgin-plugin-otr on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25318
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:26389
    P
    		Security update for chromium (Important)
    2020-12-01
    oval:org.opensuse.security:def:25219
    P
    		Security update for java-1_8_0-ibm (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25693
    P
    		Security update for LibreOffice (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50223
    P
    		enigmail on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:70193
    P
    		perl-doc on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25402
    P
    		Security update for libvirt (Important)
    2020-12-01
    oval:org.opensuse.security:def:25300
    P
    		Security update for dovecot22 (Important)
    2020-12-01
    oval:org.opensuse.security:def:25707
    P
    		Security update for java-1_7_1-ibm (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26463
    P
    		Security update for enigmail (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:24978
    P
    		Security update for libxml2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25552
    P
    		Security update for python3-requests (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25357
    P
    		Security update for squid (Important)
    2020-12-01
    oval:org.opensuse.security:def:26428
    P
    		Security update for redis (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25751
    P
    		Security update for libssh (Moderate)
    2020-12-01
    oval:com.ubuntu.bionic:def:2017176880000000
    V
    		CVE-2017-17688 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-05-16
    oval:com.ubuntu.artful:def:201717688000
    V
    		CVE-2017-17688 on Ubuntu 17.10 (artful) - medium.
    2018-05-16
    oval:com.ubuntu.xenial:def:201717688000
    V
    		CVE-2017-17688 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-05-16
    oval:com.ubuntu.xenial:def:2017176880000000
    V
    		CVE-2017-17688 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-05-16
    oval:com.ubuntu.bionic:def:201717688000
    V
    		CVE-2017-17688 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-05-16
    oval:com.ubuntu.disco:def:2017176880000000
    V
    		CVE-2017-17688 on Ubuntu 19.04 (disco) - medium.
    2018-05-16
    oval:com.ubuntu.cosmic:def:201717688000
    V
    		CVE-2017-17688 on Ubuntu 18.10 (cosmic) - medium.
    2018-05-16
    oval:com.ubuntu.cosmic:def:2017176880000000
    V
    		CVE-2017-17688 on Ubuntu 18.10 (cosmic) - medium.
    2018-05-16
    oval:com.ubuntu.trusty:def:201717688000
    V
    		CVE-2017-17688 on Ubuntu 14.04 LTS (trusty) - medium.
    2018-05-16
    BACK
    apple mail -
    apple mail -
    bloop airmail -
    emclient emclient -
    flipdogsolutions maildroid -
    freron mailmate -
    horde horde imp -
    microsoft outlook 2007
    mozilla thunderbird -
    postbox-inc postbox -
    r2mail2 r2mail2 -
    roundcube webmail -
    microsoft outlook 2007
    apple mail *
    mozilla thunderbird 16.0
    mozilla thunderbird 24.0
    mozilla thunderbird 17.0
    mozilla thunderbird 45.5.0
    mozilla thunderbird 52.5.1