CVE-2017-17688
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2017-17688 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
The research paper talks about use of HTML as a back channel to create an oracle for modified encrypted emails. HTML emails which use external links like "" can cause security issues if they are honored by the MUAs. Due to flaws in MIME parsers many MUAs seem to concatenate decrypted HTML mine parts which makes it easy to plan such snippets in HTML emails. Please refer to https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html about how GnuPG can mitigate this flaw.
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 5.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | kdepim | Not affected |
| Red Hat Enterprise Linux 7 | evolution-data-server | Not affected |
| Red Hat Enterprise Linux 7 | thunderbird | Not affected |
| Red Hat Enterprise Linux 6 | thunderbird | Not affected |
| Red Hat Enterprise Linux 6 | kdepim | Not affected |
| Red Hat Enterprise Linux 6 | evolution-data-server | Not affected |
Mitigation
The easiest way to mitigate this vulnerability is not to use HTML emails. If you really need to use them ensure that MUA clients disable external links embedded in HTML emails. For example in thunderbird email client, Edit->Preferences->Privacy->Disable "Allow remote content in messages".
External References
CVE description copyright © 2017, The MITRE Corporation