EFAIL PGP vulnerability does not affect DMARC Analyzer

May 14, 2018

Today, news sources published about a vulnerability in encrypted email using OpenPGP and S/MIME. Later this morning (European time), the IT security lab at the Münster University of Applied Sciences released the details of this vulnerability referred to as EFAIL.

The official website of https://efail.de/ describes the context and possible mitigations.

DMARC Analyzer can be set up to store and encrypt incoming DMARC forensic reports with PGP. This latter is only performed if a client implemented the public part of his/her PGP keypair.

No impact on DMARC Analyzer
Our team followed EFAIL with close attention and investigated the potential impact on the DMARC Analyzer software. We concluded that the reported vulnerabilities don’t affect the PGP application of DMARC Analyzer.

To benefit from the EFAIL vulnerabilities, an attacker needs to have access to the encrypted message to initiate an attack. Additionally, the EFAIL vulnerabilities revolves around rendering and decrypting PGP encrypted content in a mail user agent (MUA).
This does not apply to DMARC Analyzer. Our software doesn’t provide functionality to decrypt of render encrypted content (DMARC forensic reports).

The DMARC Analyzer software provides encrypted DMARC forensic reports as a download, suitable for local decryption purposed with the (client owned) private key.
Since the content of DMARC forensic reports can be potentially malicious, these encrypted messages should always be handled with care. The EFAIL-vulnerabilities hasn’t changed that.

Recommendations
DMARC Analyzer only perform PGP encryption after a client has implemented a PGP public key in our appliance. For clients who make use of this functionality, we advise to always consider the following recommendations while decrypting DMARC forensic reports:

  • Ensure the standard security best practices are in place (i.e. update OS, update virus scanner, (cold) backup, use two-factor authentication and a password manager).
  • Store key pairs and passphrases in an encrypted environment, such as a password manager or other encrypted space. Prevent the usage of text files to store key pairs and passwords.
  • Encrypt PGP content with trusted stand-alone decryption software. We tested local tools such as GPG4WIN (Windows) or GPG Suite (OS X). We prefer local (open source) tools over web-based solutions.
  • Do not render HTML, especially not with an MUA. Instead, use a text-editor to analyze the content of DMARC forensic reports.
  • In case further research is desired, for instance to reveal phishing websites, use a sandbox environment. This will mitigate the impact of phishing attacks of malware.