[kmail2] [Bug 404698] New: Decryption Oracle based on replying to PGP or S/MIME encrypted emails

Fri Feb 22 12:52:18 GMT 2019

https://bugs.kde.org/show_bug.cgi?id=404698

            Bug ID: 404698
           Summary: Decryption Oracle based on replying to PGP or S/MIME
                    encrypted emails
           Product: kmail2
           Version: unspecified
          Platform: Debian stable
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: crypto
          Assignee: kdepim-bugs at kde.org
          Reporter: jens.a.mueller+kde at rub.de
  Target Milestone: ---

In the scope of academic research in cooperation with Ruhr-Uni Bochum and FH
Münster, Germany we discovered a security issue in KMail: An attacker who is in
possession of PGP or S/MIME encrypted messages can embed them into a multipart
message and re-send them to the intended receiver. When the message is read and
decrypted by the receiver, the attacker's content is shown. If the victim
replies, the plaintext is leaked to an attacker's email address. The root cause
for these vulnerabilities lies in the way KMail (and many other mail clients)
handle partially encrypted multipart messages.

-----------------------------------------
*Leaking plaintext through reply/forward*
-----------------------------------------

/Attacker model/: Attacker is in possession of PGP or S/MIME encrypted
messages, which she may have obtained as passive man-in-the-middle or by
actively hacking into the victim's mail server or gateway

/Attacker's goal/: Leak the plaintext by wrapping the ciphertext part within a
benign-looking MIME mail sent to and decrypted+replied to by the victim

/Attack outline:/ If KMail receives a multipart email, as depicted below, it
decrypt the ciphertext part(s), together with the attacker-controlled text
(which may be prepended and/or appended).

multipart/mixed
   |--- Attacker's part
   |--- [encrypted part to leak]
   +--- [Attacker's encrypted part]

A benign-looking attacker's text may lure the victim into replying. Because the
decrypted part is also quoted in the reply, the user unintentionally acts as a
decryption oracle. To obfuscate the existence of the encrypted part(s), the
attacker may add a lot of newlines or hide it within a long conversation
history. A user replying to such a ‘mixed content’ conversation thereby leaks
the plaintext of encrypted messages wrapped within attacker-controlled text.

Please find attached a raw .eml file which depicts the issue.

---------------
Countermeasures
---------------

Do not decrypt emails unless the PGP or S/MIME encrypted part is the root node
-- and therefore the only part -- in the MIME tree (exception: multipart/signed
for encrypted-then-signed S/MIME messages). Another, potentially less secure,
option would be to quote only the very first MIME part in replies.

-- 
You are receiving this mail because:
You are the assignee for the bug.