Vigil@nce - Enigmail: spoofing via Unsigned Parts Displayed Signed
March 2020 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/?langue=2
SYNTHESIS OF THE VULNERABILITY
An attacker can create spoofed data via Unsigned Parts Displayed
Signed of Enigmail, in order to deceive the victim.
Impacted products: Fedora, openSUSE Leap, SLES.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 22/01/2020.
DESCRIPTION OF THE VULNERABILITY
The Enigmail signs its data in order to authenticate them.
However, data can be altered without changing the signature.
An attacker can therefore create spoofed data via Unsigned Parts
Displayed Signed on Enigmail, in order to deceive the victim.
ACCESS TO THE FULL VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Enigmail-spoofing-via-Unsigned-Parts-Displayed-Signed-31391