CVE-2017-17848 - OpenCVE

An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Enigmail	Enigmail

Configuration 1 [-]

cpe:2.3:a:enigmail:enigmail:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

References

Link	Resource
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2019/Apr/38	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/30/4	Mailing List Third Party Advisory
https://github.com/RUB-NDS/Johnny-You-Are-Fired
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-security-announce/2017/msg00333.html	Mailing List Third Party Advisory
https://sourceforge.net/p/enigmail/bugs/709/	Third Party Advisory
https://www.debian.org/security/2017/dsa-4070	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-12-22T23:00:00

Updated: 2019-05-16T17:00:34

Reserved: 2017-12-22T00:00:00

Link: CVE-2017-17848

JSON object: View

NVD Information

Status : Modified

Published: 2017-12-27T17:08:19.920

Modified: 2019-05-16T17:29:00.307

Link: CVE-2017-17848

JSON object: View

Redhat Information

No data.

CWE

CWE-347

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-12-22T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-16T17:00:34", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://sourceforge.net/p/enigmail/bugs/709/"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.debian.org/debian-security-announce/2017/msg00333.html"}, {"name": "[debian-lts-announce] 20171223 [SECURITY] [DLA 1219-1] enigmail security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html"}, {"name": "DSA-4070", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2017/dsa-4070"}, {"name": "[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/04/30/4"}, {"name": "20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Apr/38"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-17848", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://sourceforge.net/p/enigmail/bugs/709/", "refsource": "MISC", "url": "https://sourceforge.net/p/enigmail/bugs/709/"}, {"name": "https://lists.debian.org/debian-security-announce/2017/msg00333.html", "refsource": "MISC", "url": "https://lists.debian.org/debian-security-announce/2017/msg00333.html"}, {"name": "[debian-lts-announce] 20171223 [SECURITY] [DLA 1219-1] enigmail security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html"}, {"name": "DSA-4070", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2017/dsa-4070"}, {"name": "[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/04/30/4"}, {"name": "20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Apr/38"}, {"name": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html"}, {"name": "https://github.com/RUB-NDS/Johnny-You-Are-Fired", "refsource": "MISC", "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired"}, {"name": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf", "refsource": "MISC", "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-17848", "datePublished": "2017-12-22T23:00:00", "dateReserved": "2017-12-22T00:00:00", "dateUpdated": "2019-05-16T17:00:34", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enigmail:enigmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB028A65-2C8A-4D9C-88F8-78BAE49E77C4", "versionEndExcluding": "1.9.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text."}, {"lang": "es", "value": "Se ha descubierto un problema en versiones anteriores a la 1.9.9 de Enigmail. En una variante de CVE-2017-17847, se puede dar la suplantaci\u00f3n de firma para mensajes multipart/related debido a que se puede hacer referencia a una parte del mensaje firmado con un id de contenido cid: URI, pero no se puede mostrar. En otras palabras, todo el contenido del mensaje aparece como firmado, pero el destinatario no visualiza nada del texto firmado."}], "id": "CVE-2017-17848", "lastModified": "2019-05-16T17:29:00.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-27T17:08:19.920", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Apr/38"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/04/30/4"}, {"source": "cve@mitre.org", "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired"}, {"source": "cve@mitre.org", "url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-security-announce/2017/msg00333.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://sourceforge.net/p/enigmail/bugs/709/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-4070"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}