OpenPGP, S/MIME, EFAIL: what’s going on?

On Monday morning, Sebastian Schinzel, professor of computer security at the University of Münster in Germany, published a tweet to warn of the discovery of a new security vulnerability concerning OpenPGP and S/MIME e-mail encryption tools. Following this announcement, management at GNU Privacy Guard software said the vulnerabilities were at the implementation level in e-mail clients.

Both vulnerabilities, Direct Exfiltration and CBC/CFB Gadget Attack, could allow an attacker to exfiltrate sensitive data from encrypted emails.

With Stormshield solutions, you can rest assured

Our Stormshield Network Security and Stormshield Endpoint Security solutions do not use OpenPGP or S/MIME encryption tools.

Regarding our Stormshield Data Security solution, our decryption implementation allows us to not be impacted by these vulnerabilities. Within SDS Enterprise, our mail add-in, Stormshield Data Mail for Outlook, uses a special mechanism to decrypt S/MIME and OpenPGP encryption tools, and is therefore not vulnerable to direct exfiltration or CBC/CFB Gadget Attacks.

Full security advisory from our teams available on our website: advisories.stormshield.eu.
And for more information on vulnerabilities, visit the dedicated website.

Share on

About the author

mm
Karine Monmarché
Global Lead Marketing, Stormshield

Karine Monmarché is Global Lead Marketing at Stormshield. Her multi-expertise background includes marketing and communication in all their guises. Well-versed in strategic and service offer marketing, in external, internal, Web & editorial communication, she has dedicated her career to exploring the areas she is passionate about: energy and new technologies in the broadest possible sense.