A team of security researchers has discovered several vulnerabilities in various implementations of OpenPGP and S/MIME email signature verification that could allow attackers to spoof signatures on over a dozen of popular email clients.
The affected email clients include Thunderbird, Microsoft Outlook, Apple Mail with GPGTools, iOS Mail, GpgOL, KMail, Evolution, MailMate, Airmail, K-9 Mail, Roundcube and Mailpile.
When you send a digitally signed email, it offers end-to-end authenticity and integrity of messages, ensuring recipients that the email has actually come from you.
However, researchers tested 25 widely-used email clients for Windows, Linux, macOS, iOS, Android and Web and found that at least 14 of them were vulnerable to multiple types of practical attacks under five below-mentioned categories, making spoofed signatures indistinguishable from a valid one even by an attentive user.
The research was conducted by a team of researchers from Ruhr University Bochum and Münster University of Applied Sciences, which includes Jens Müller , Marcus Brinkmann , Damian Poddebniak , Hanno Böck, Sebastian Schinzel , Juraj Somorovsky, and Jörg Schwenk.
"In our scenario, we assume two trustworthy communication partners, Alice and Bob, who have securely exchanged their public PGP keys or S/MIME certificates," the team explains in a research paper [PDF] published today.
"The goal of our attacker Eve is to create and send an email with arbitrary content to Bob whose email client falsely indicates that the email has been digitally signed by Alice."
1) CMS Attacks (C1, C2, C3, C4) — Flaws due to mishandling of Cryptographic Message Syntax (CMS), the container format of S/MIME, lead to contradicting or unusual data structures, such as multiple signers or no signers.
2) GPG API Attacks (G1, G2) — Implementation flaws in many email clients fail to properly parse a wide range of different inputs that could allow attackers to inject arbitrary strings into GnuPG status line API and logging messages, tricking clients into displaying successful signature validation for arbitrary public keys.
3) MIME Attacks (M1, M2, M3, M4) — MIME wrapping attacks abuse how email clients handle partially signed messages. These attacks allow attackers to trick email clients into showing an unsigned text while verifying an unrelated signature in another part (which remains invisible).
4) ID attacks (I1, I2, I3) — These attacks rely on the weaknesses in the binding of signed messages to the sender identity by mail clients, allowing attackers to display a valid signature from the identity (ID) of a trusted communication partner located in the mail header.
5) UI Attacks (U1) — User Interface (UI) redressing attacks are successful if attackers found a way to mimic, using HTML, CSS, or inline images, some important UI elements of an email client that could allow them to display an indicator of a valid signature.
Below are the results of all of the above-mentioned signature spoofing attacks tested against various email clients for OpenPGP, where full blacked circle indicator represents "Perfect forgery," half blacked circle represents "Partial forgery," and the white one represents "Weak forgery."
The next table shows results for S/MIME signature verification:
Interestingly, researchers also found that some email signature spoofing attacks can also be used to spoof decryption results, "causing the email client to indicate an encrypted message where in fact the plaintext was transmitted in the clear."
"Our attacker model does not include any form of social engineering. The user opens and reads received emails as always, so awareness training does not help to mitigate the attacks," the researchers say.
Though most of these partial and weak forgery attacks can potentially be detected by carefully inspecting the GUI or manually clicking to receive more signature details, it still concerns when a large number of sensitive users and communities relies on email encryption and verification for authentication.
The vulnerabilities in email clients have been given the following CVEs: CVE-2018-18509, CVE-2018-12019, CVE-2018-12020, CVE-2017-17848, CVE-2018-15586, CVE-2018-15587, CVE-2018-15588, CVE-2019-8338, CVE-2018-12356, CVE-2018-12556, and CVE-2019-728.
Researchers reported these vulnerabilities to affected vendors and developers, as well as suggested appropriate countermeasures, which have now been implemented in the latest versions of most of the affected software.