CVE-2022-1520: Thunderbird Incorrect Encryption and Signature Status Vulnerability - A Deep Dive

CVE-2022-1520 is a recently discovered vulnerability affecting Thunderbird, a popular open-source email client. When an encrypted or digitally signed email message B is attached to another message A, the email client may show the wrong encryption or signature status for message A after opening and viewing message B. This vulnerability could lead to potential security risks for users due to the possibility of incorrect security information being shown. In this long read post, we will take a deep dive into the vulnerability, looking at code snippets, original references, and exploit details. So, let's get started.

Vulnerability Details

- Name: Thunderbird Incorrect Encryption/Signature Status Vulnerability

Severity: Low

The incorrect encryption and signature status vulnerability can be a potential security risk as it may lead to the display of false information about the security of a message.

Code Snippet

To illustrate the vulnerability, let's take a look at a sample code snippet that demonstrates the issue:

// Message A (unencrypted/unsigned) contains an attachment of Message B (encrypted/signed)

Thunderbird.showEmail(MessageA);

// Open Message B from attachment
Thunderbird.openAttachment(MessageB);

// View and close Message B
Thunderbird.viewEmail(MessageB);
Thunderbird.closeEmail(MessageB);

// Go back to Message A in Thunderbird
Thunderbird.showEmail(MessageA);

// Message A security status is now incorrectly shown as encrypted/signed (the status of Message B)
console.log(MessageA.getSecurityStatus()); // Output: encrypted/signed (wrong)

As seen in the code snippet above, after viewing the attached message B and returning to message A, the security status of message A is incorrectly shown as encrypted/signed.

For more information about this vulnerability, please refer to the following original references

1. Mozilla Foundation Security Advisory 2022-10
2. CVE-2022-1520 Official Link
3. Thunderbird Security Advisory

Exploit Details

An attacker exploiting this vulnerability would need the targeted user to open an email message containing an attachment with an encrypted or digitally signed message. This could potentially be achieved through a phishing attack, where the attacker would craft a legitimate-looking email containing the malicious attachment (B), enticing the target to open it.

Once the target opens the attachment and views the encrypted/signed message (B), the vulnerability is triggered, causing the incorrect security status to be displayed for the original message (A). At this point, the target may wrongly believe that message A is encrypted/signed, increasing the likelihood of them interacting with its content and potentially compromising their security.

Conclusion

CVE-2022-1520 highlights the importance of keeping software up-to-date and ensuring that security fixes are applied in a timely manner. Thunderbird has addressed this vulnerability in version 91.9, and users are advised to update their installations as soon as possible. By understanding the details of the vulnerability, taking note of code snippets, original references, and potential exploit scenarios, users and developers can better secure their communications and systems.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/29/2022 16:40:00 UTC