#838 Efail: fail on GnuPG integrity check warnings for old Algorithms

[Andrew Gallagher]

For historical reasons, GnuPG returns a warning rather than an error on MDC failures if the ciphersuite in use predates the adoption of MDC. Enigmail therefore should not trust the return value from GnuPG and should fail on integrity check warnings even if GnuPG does not regard them as fatal.

This mitigates CVE-2017-17688

[Patrick Brunschwig]

How would you suggest that I can detect MDC failures if GnuPG doesn't tell me so ... ?

[Andrew Gallagher]

Patrick:

From your reply to Robert yesterday:

---

The problem is that gpg doesn't say anything. I would expect a
DECRYPTION_FAILED message here:

<snip></snip>

[GNUPG:] DECRYPTION_OKAY
gpg: WARNING: message was not integrity protected
[GNUPG:] END_DECRYPTION

---

So it did complain, just not as loudly as it should have. ;-)

A

On 15/05/18 12:04, Patrick Brunschwig wrote:

How would you suggest that I can detect MDC failures if GnuPG doesn't
tell me so ... ?

---

[bugs:#838] https://sourceforge.net/p/enigmail/bugs/838/ Fail on GPG
integrity check warnings

Status: open
Created: Tue May 15, 2018 09:10 AM UTC by Andrew Gallagher
Last Updated: Tue May 15, 2018 09:10 AM UTC
Owner: nobody

For historical reasons, GnuPG returns a warning rather than an error on
MDC failures if the ciphersuite in use predates the adoption of MDC.
Enigmail therefore should not trust the return value from GnuPG and
should fail on integrity check warnings even if GnuPG does not regard
them as fatal.

This mitigates CVE-2017-17688

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/enigmail/bugs/838/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

--
Andrew Gallagher

[Andrew Gallagher]

[Patrick Brunschwig]

I'm sorry, but that won't work. The message
gpg: WARNING: message was not integrity protected
depends on the user's language. It's cannot be interpreted by Enigmail any may even vary depending on GnuPG versions.

Enigmail only respects machine readable output from GnuPG starting with [GNUPG:]. Anything else cannot be reliably considered as relevant output from GnuPG.

[Andrew Gallagher]

1. This is not intended to be foolproof, just a backstop sanity test.
2. You can force the language to C when invoking GPG. The output is not normally displayed to the user.
3. The fix has already been pushed to master in GPG, so we only need to worry about historical versions, not all new ones.

[Patrick Brunschwig]

I should note that all of the above only affects old algorithms like Cast5; algorithms like AES that were introduced after GnuPG added MDC are not affected by this, and are correctly handled in both GnuPG and Enigmail.

[Patrick Brunschwig]

Alright ... despite my aversion for such hacks, I implemented detection of MDC warnings based on human-readable text. I try to always call gpg in English now (not sure if this really works reliably on all platforms).

That is, whenever Enigmail sees the following line on stderr it will throw away the decrypted message and return nothing:

gpg: WARNING: message was not integrity protected

[Patrick Brunschwig]

Alright ... despite my aversion for such hacks, I implemented detection of MDC warnings based on human-readable text. I try to always call gpg in English now (not sure if this really works reliably on all platforms).

[Malte Finsterwalder]

Why is a failure in MDC and Error? I sure would like a big warning, but an error that prevents decryption entirely?!
After the last Enigmail update I can't decrypt my emails anymore. :-(
I get email without MDC and I can't change that, since I can't influence the sender to use MDC.
I already added a gnupg Flag: "--no-mdc-warning".
This worked for a day and now with the newest update doesn't work anymore.
Using the "--no-mdc-warning"-Flag, I don't see the warning
"gpg: WARNING: message was not integrity protected"
anywhere in the log or console, but still enigmail does not decrypt my message.
The Log shows "[GNUPG:] DECRYPTION_OKAY"

I could send you Log and Console output via email or as a privat message, if needed.

[Andrew Gallagher]

Malte,

MDC failures should be errors because MDC prevents an attacker decrypting your message by modifying it in transit and watching to see what happens when you read it. In OpenPGP this has up to now been mostly theoretical, but recently there was a practical attack published that works against both PGP and SMIME messages in HTML capable mail clients.

Iff you have HTML display turned off, it should be relatively safe to try decrypting with the flag “—ignore-mdc-error”. But at root, your correspondent’s messages are not safely encrypted - the standard was updated over a decade ago to prevent exactly this kind of error. There is no truly safe option other than to upgrade.

Andrew Gallagher

On 23 May 2018, at 21:44, Malte Finsterwalder finsterwalder@users.sourceforge.net wrote:

Why is a failure in MDC and Error? I sure would like a big warning, but an error that prevents decryption entirely?!
After the last Enigmail update I can't decrypt my emails anymore. :-(
I get email without MDC and I can't change that, since I can't influence the sender to use MDC.
I already added a gnupg Flag: "--no-mdc-warning".
This worked for a day and now with the newest update doesn't work anymore.

[vagab0nd]

Andrew or Patrick or anyone,
Are there options we can put in the enigmail advanced options for gpg that will allow us to read our vast archives encrypted email? Or do we have to go back to an earlier engmail version and if so, how do we keep it from auto updating in Thunderbird?
Thanks,
V

[Patrick Brunschwig]

No, there is no gpg option that could help you. But please read the support topic which includes options to access old mails.

https://sourceforge.net/p/enigmail/forum/support/thread/03ebee57/