Vulnerability Details : CVE-2018-12019
The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids.
Products affected by CVE-2018-12019
- cpe:2.3:a:enigmail:enigmail:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-12019
0.73%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-12019
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-12019
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-12019
-
https://www.enigmail.net/index.php/en/download/changelog
Enigmail - ChangelogExploit;Vendor Advisory
-
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
Johnny You Are Fired ≈ Packet StormThird Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2019/Apr/38
Full Disclosure: OpenPGP and S/MIME signature forgery attacks in multiple email clientsMailing List;Third Party Advisory
-
https://github.com/RUB-NDS/Johnny-You-Are-Fired
GitHub - RUB-NDS/Johnny-You-Are-Fired: Artifacts for the USENIX publication.
-
http://www.openwall.com/lists/oss-security/2019/04/30/4
oss-security - Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)Mailing List;Third Party Advisory
-
http://openwall.com/lists/oss-security/2018/06/13/10
oss-security - CVE-2018-12020, CVE-2018-12019 in GnuPG, Enigmails, GPGTools, python-gnupgMailing List;Third Party Advisory
-
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
Johnny-You-Are-Fired/johnny-fired.pdf at master · RUB-NDS/Johnny-You-Are-Fired · GitHub
Jump to