7:30AM, 15 May 2018

TLP Rating: White

S/MIME and OpenPGP email client vulnerability

UPDATED: 10.20am, minor wording clarification. We originally referred to S/MIME and OpenPGP protocol vulnerabilities. The update clarifies the vulnerability also affects mail clients and the way they handle and display S/MIME and OpenPGP encrypted messages.

CERT NZ is aware of a new vulnerability in email clients and their use of OpenPGP and S/MIME, which are two major standards for providing end-to-end encryption for emails.

This attack can be performed on an encrypted email that an attacker has collected, including emails that have been sent a while ago.

CERT NZ is not aware of any active attacks. However, we strongly recommend you:

  • block all backchannels used in your email clients
  • stay up-to-date with patches from your email client and encryption plugins. Email clients may release a patch to fix this vulnerability once the S/MIME and OpenPGP standards are updated.