PT-2018-2720 · Mozilla+5 · Thunderbird+5

Damian Poddebniak

Published

2018-12-31

Updated

2024-06-15

CVE-2018-18509

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 60.5.1

Description A flaw in the verification of certain S/MIME signatures in Thunderbird causes emails to be displayed as having a valid digital signature, even if the message contents are not covered by the signature. This issue allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. The vulnerability is related to incomplete verification of digital signature metadata.

Recommendations For Thunderbird versions prior to 60.5.1, update to version 60.5.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of S/MIME signatures in Thunderbird until a patch is applied. Restrict access to sensitive email content to minimize the risk of exploitation. Avoid relying solely on digital signatures for email authenticity verification until the issue is resolved.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

ALT-PU-2019-1254

BDU:2019-01570

CESA-2019_0680

CESA-2019_0681

CESA-2019_1144

CVE-2018-18509

DLA-1678-1

DSA-4392-1

MGASA-2019-0088

OPENSUSE-SU-2019:0249-1

OPENSUSE-SU-2019:0251-1

OPENSUSE-SU-2019:1162-1

OPENSUSE-SU-2019_0250-1

OPENSUSE-SU-2019_0251-1

OPENSUSE-SU-2019_1162-1

OPENSUSE-SU-2024:10601-1

RHSA-2019:0680

RHSA-2019:0681

RHSA-2019:1144

RHSA-2019_0680

RHSA-2019_0681

RHSA-2019_1144

SUSE-SU-2019:0469-1

SUSE-SU-2019:0853-1

USN-3897-1

Affected Products

Alt Linux

Centos

Red Hat

Suse

Thunderbird

Ubuntu

PT-2018-2720 · Mozilla+5 · Thunderbird+5

CVE-2018-18509

Weakness Enumeration

Related Identifiers

Affected Products

References · 455