7:30am, 15 May 2018
TLP Rating: White
S/MIME and OpenPGP email client vulnerability
UPDATED: 10.20am, minor wording clarification. We originally referred to S/MIME and OpenPGP protocol vulnerabilities. The update clarifies the vulnerability also affects mail clients and the way they handle and display S/MIME and OpenPGP encrypted messages.
CERT NZ is aware of a new vulnerability in email clients and their use of OpenPGP and S/MIME, which are two major standards for providing end-to-end encryption for emails.
This attack can be performed on an encrypted email that an attacker has collected, including emails that have been sent a while ago.
CERT NZ is not aware of any active attacks. However, we strongly recommend you:
- block all backchannels used in your email clients
- stay up-to-date with patches from your email client and encryption plugins. Email clients may release a patch to fix this vulnerability once the S/MIME and OpenPGP standards are updated.