Vulnerabilities in OpenPGP and S/MIME Could Reveal Email Content

Security researchers have discovered critical vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME. Successful exploitation of the vulnerabilities, dubbed “EFAIL,” could allow threat actors to decrypt sent or received email messages, revealing the plaintext, readable content. The vulnerabilities may be exploited via a CBC/CFB gadget attack or an HTML exfiltration attack. The NJCCIC recommends those using OpenPGP and S/MIME for email encryption review the EFAIL report and the CERT/CC Vulnerability Note, disable the viewing of HTML email to eliminate the primary way of exploiting the flaws, and apply patches if and when they become available.