Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decryption Oracle based on replying to PGP encrypted emails #6638

Closed
jensvoid opened this issue Feb 22, 2019 · 3 comments
Closed

Decryption Oracle based on replying to PGP encrypted emails #6638

jensvoid opened this issue Feb 22, 2019 · 3 comments
Labels
bug C: Encryption C: Plugins C: Security
Milestone
1.4-rc2

Comments

@jensvoid
Copy link

In the scope of academic research in cooperation with Ruhr-Uni Bochum and FH Münster, Germany we discovered a security issue in Roundcube/Enigma: An attacker who is in possession of PGP encrypted messages can embed them into a multipart message and re-send them to the intended receiver. When the message is read and decrypted by the receiver, the attacker's content is shown. If the victim replies, the plaintext is leaked to an attacker's email address. The root cause for these vulnerabilities lies in the way Roundcube (and many other mail clients) handle partially encrypted multipart messages.

Leaking plaintext through replies

Attacker model: Attacker is in possession of PGP encrypted messages, which she may have obtained as passive man-in-the-middle or by actively hacking into the victim's mail server or gateway

Attacker's goal: Leak the plaintext by wrapping the ciphertext part within a benign-looking MIME mail sent to and decrypted+replied to by the victim

Attack outline: If Roundcube receives a multipart email, as depicted below, it decrypt the ciphertext part(s), together with the attacker-controlled text (which may be prepended and/or appended).

multipart/mixed
   |--- Attacker's part
   |--- [encrypted part]
   +--- Attacker's part

A benign-looking attacker's text may lure the victim into replying. Because the decrypted part is also quoted in the reply, the user unintentionally acts as a decryption oracle. To obfuscate the existence of the encrypted part(s), the attacker may add a lot of newlines or hide it within a long conversation history. A user replying to such a ‘mixed content’ conversation thereby leaks the plaintext of encrypted messages wrapped within attacker-controlled text.

Countermeasures

Do not decrypt emails unless the PGP encrypted part is the root node -- and therefore the only part -- in the MIME tree.
@jensvoid
Copy link
Author

Please find attached a raw .eml file which depicts the issue.
00-pgp-mime-reply-mix-crlf.eml.txt

@alecpl alecpl added this to the later milestone Feb 22, 2019
@jensvoid
Copy link
Author

Update: Here's a full (public) report on the issue:
https://arxiv.org/ftp/arxiv/papers/1904/1904.07550.pdf

For Roundcube, CVE-2019-10740 was assigned for reply-based "decryption oracles".

alecpl added a commit that referenced this issue May 11, 2019
@alecpl
Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
8fe12e2 
When composing mail (on reply/forward/edit) we decrypt content only
in the first "content part" of the message.
alecpl added a commit that referenced this issue May 11, 2019
@alecpl
Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
de25226 
When composing mail (on reply/forward/edit) we decrypt content only
in the first "content part" of the message.
@alecpl alecpl modified the milestones: later, 1.4-rc2 May 11, 2019
@alecpl
Copy link
Member

alecpl commented May 11, 2019

Fixed.

@alecpl alecpl closed this as completed May 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug C: Encryption C: Plugins C: Security
Projects
None yet
Milestone
1.4-rc2
Development

No branches or pull requests
2 participants
@alecpl @jensvoid