CVE-2023-0430 - Thunderbird OCSP Certificate Revocation Status Not Checked in S/MIME Signatures: Versions 68 to 102.7.

The CVE-2023-0430 vulnerability affects Mozilla Thunderbird, an open-source email client, in which the certificate revocation status is not checked when verifying S/MIME signatures. As a result, emails signed with a revoked certificate would be displayed as having a valid signature. This security loophole puts the confidentiality of exchanged emails at risk, and can potentially lead to malicious activities.

In this post, we will dive into the specifics of CVE-2023-0430, including the affected Thunderbird versions and how the exploit works, along with sample code snippets and original references.

Affected versions

Mozilla Thunderbird versions from 68 up to 102.7. are affected by this vulnerability. It is advised to update to Thunderbird version 102.7.1 or later to avoid any potential security risks.

Understanding the vulnerability

When Thunderbird verifies the S/MIME signatures in signed emails, it does not check for the certificate's revocation status (using the Online Certificate Status Protocol, or OCSP). Therefore, an email signed with a revoked certificate will still appear as valid, potentially undermining the authenticity and security of the communication.

Exploit details

The following code snippet demonstrates the process of verifying an S/MIME signature without checking for certificate revocation status:

from M2Crypto import SMIME, X509

def verify_without_ocsp_check(signed_mail):
  smime_obj = SMIME.SMIME()
  x509_store = X509.X509_Store()
  
  # Load the CA certificates
  for ca_cert in ca_certs:
      x509_store.add_cert(ca_cert)

  smime_obj.set_x509_store(x509_store)

  # Verify the mail signature
  email_bio = BIO.MemoryBuffer(signed_mail)
  p7, data = smime_obj.verify(email_bio)

  return data

In this example, emails with revoked certificates will still be considered valid, as the OCSP revocation status is not checked.

For more information on CVE-2023-0430, visit the following links

- Mozilla Security Advisory
- CVE Details
- NIST Vulnerability Database

Update Thunderbird to version 102.7.1 or later, which includes a fix for the vulnerability.

2. Implement OCSP certificate revocation status checking when verifying S/MIME signatures.

Conclusion

The CVE-2023-0430 vulnerability poses a significant security risk for Thunderbird users who rely on S/MIME signatures for secure communication. It is essential to keep the email client up-to-date and ensure that OCSP certificate revocation status checking is in place to prevent potential security breaches and maintain the integrity of sensitive email communications.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/09/2023 17:02:00 UTC