[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
https://bugs.kde.org/show_bug.cgi?id=404698 --- Comment #15 from Jens Mueller --- @David: This would mean if you attach a non-encrypted image to an encrypted... Absolutely, such an email could not be decrypted anymore if you follow our suggestions (or had to be manually decrypted on the command line). While this may seem a bit harsh, we have not seen any mail client that allows to send such "partially encrypted" emails (e.g., with unencrypted attachments), and I think handling such edge cases can become a security nightmare. Either the whole mail is encrypted or it's not, everything else gives a false sense of security, imho. However, I see the developer's perspective and the and the fear of potentially breaking things, too. I guess a rule like "in case of an encrypted, multipart email, reply only with the first part" *should* be fine too. @Sandro: We originally tested in version 5.2.3 on Debian 9.8 (stretch). This version is probably outdated by now. -- You are receiving this mail because: You are the assignee for the bug.
[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
https://bugs.kde.org/show_bug.cgi?id=404698 Jens Mueller changed: What|Removed |Added Version|5.10.3 |unspecified -- You are receiving this mail because: You are the assignee for the bug.
[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
https://bugs.kde.org/show_bug.cgi?id=404698 --- Comment #10 from Jens Mueller --- Update: Here's a full (public) report on the issue: https://arxiv.org/ftp/arxiv/papers/1904/1904.07550.pdf For KMail, CVE-2019-10732 was assigned for reply-based `decryption oracles`. -- You are receiving this mail because: You are the assignee for the bug.
[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
https://bugs.kde.org/show_bug.cgi?id=404698 --- Comment #9 from Jens Mueller --- Imho, there are no legitimate use cases for `partial encryption` in S/MIME and PGP/MIME, but it's hard to measure if such emails do exist in the wild. In case of PGP/Inline, unfortunately, every part is encrypted separately. Note that a captured PGP/MIME message can be `downgraded` to be interpreted in the context of PGP/INLINE. -- You are receiving this mail because: You are the assignee for the bug.
[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
https://bugs.kde.org/show_bug.cgi?id=404698 --- Comment #7 from Jens Mueller --- Exactly that's the problem. Note that not only one message, but hundreds of captured messages can be wrapped and leaked with one single reply. Traditional message takeover attacks under a new identity (C) are considered as an acceptable risk in email e2e encryption because it is assumed that given the context of the message (e.g.,“Hi A, [...] Yours, B”) B can tell that this message is not originally from C and could easily discover the deception. However, using MIME wrapping, C can make a different content being displayed to B (if B does not carefully scroll down the whole message conversation) and therefore potentially trick B into replying to C. -- You are receiving this mail because: You are the assignee for the bug.
[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
https://bugs.kde.org/show_bug.cgi?id=404698 --- Comment #4 from Jens Mueller --- Things may have changed in the meantime, but for the version we tested (v5.2.3), there is no need to click on "Decrypt Message". While the plaintext is not shown to the user, if he does not explicitly click "Decrypt Message", the plaintext is still included in replies -- just re-tested for S/MIME and PGP/MIME. Note that KMail was tested in the default settings (the option "Attempt decryption of encrypted messages when viewing" was *not* set). -- You are receiving this mail because: You are the assignee for the bug.
[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
https://bugs.kde.org/show_bug.cgi?id=404698 --- Comment #2 from Jens Mueller --- Created attachment 118289 --> https://bugs.kde.org/attachment.cgi?id=118289=edit Proof-of-concept S/MIME -- You are receiving this mail because: You are the assignee for the bug.
[kmail2] [Bug 404698] Decryption Oracle based on replying to PGP or S/MIME encrypted emails
https://bugs.kde.org/show_bug.cgi?id=404698 --- Comment #1 from Jens Mueller --- Created attachment 118288 --> https://bugs.kde.org/attachment.cgi?id=118288=edit Proof-of-concept PGP -- You are receiving this mail because: You are the assignee for the bug.
[kmail2] [Bug 404698] New: Decryption Oracle based on replying to PGP or S/MIME encrypted emails
https://bugs.kde.org/show_bug.cgi?id=404698 Bug ID: 404698 Summary: Decryption Oracle based on replying to PGP or S/MIME encrypted emails Product: kmail2 Version: unspecified Platform: Debian stable OS: Linux Status: REPORTED Severity: normal Priority: NOR Component: crypto Assignee: kdepim-bugs@kde.org Reporter: jens.a.mueller+...@rub.de Target Milestone: --- In the scope of academic research in cooperation with Ruhr-Uni Bochum and FH Münster, Germany we discovered a security issue in KMail: An attacker who is in possession of PGP or S/MIME encrypted messages can embed them into a multipart message and re-send them to the intended receiver. When the message is read and decrypted by the receiver, the attacker's content is shown. If the victim replies, the plaintext is leaked to an attacker's email address. The root cause for these vulnerabilities lies in the way KMail (and many other mail clients) handle partially encrypted multipart messages. - *Leaking plaintext through reply/forward* - /Attacker model/: Attacker is in possession of PGP or S/MIME encrypted messages, which she may have obtained as passive man-in-the-middle or by actively hacking into the victim's mail server or gateway /Attacker's goal/: Leak the plaintext by wrapping the ciphertext part within a benign-looking MIME mail sent to and decrypted+replied to by the victim /Attack outline:/ If KMail receives a multipart email, as depicted below, it decrypt the ciphertext part(s), together with the attacker-controlled text (which may be prepended and/or appended). multipart/mixed |--- Attacker's part |--- [encrypted part to leak] +--- [Attacker's encrypted part] A benign-looking attacker's text may lure the victim into replying. Because the decrypted part is also quoted in the reply, the user unintentionally acts as a decryption oracle. To obfuscate the existence of the encrypted part(s), the attacker may add a lot of newlines or hide it within a long conversation history. A user replying to such a ‘mixed content’ conversation thereby leaks the plaintext of encrypted messages wrapped within attacker-controlled text. Please find attached a raw .eml file which depicts the issue. --- Countermeasures --- Do not decrypt emails unless the PGP or S/MIME encrypted part is the root node -- and therefore the only part -- in the MIME tree (exception: multipart/signed for encrypted-then-signed S/MIME messages). Another, potentially less secure, option would be to quote only the very first MIME part in replies. -- You are receiving this mail because: You are the assignee for the bug.
