PT-2021-2594 · Mozilla+7 · Thunderbird+7

Neal Walfield

·

Published

2021-01-26

·

Updated

2024-06-15

·

CVE-2021-23993

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 78.9.1
Description The issue is related to insufficient verification of imported OpenPGP keys in the Thunderbird email client. An attacker can exploit this to send arbitrary encrypted messages. Specifically, if an attacker creates a crafted OpenPGP key with a subkey that has an invalid self-signature and a Thunderbird user imports this key, Thunderbird may attempt to use the invalid subkey. However, the RNP library rejects it, causing encryption to fail. This can be used to perform a Denial of Service (DoS) attack, preventing a user from sending encrypted email.
Recommendations For Thunderbird versions prior to 78.9.1, update to version 78.9.1 or later to resolve the issue. As a temporary workaround, consider avoiding the import of untrusted OpenPGP keys to minimize the risk of exploitation. Restrict the use of potentially crafted OpenPGP keys until the issue is resolved.

Fix

DoS

RCE

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-347

Related Identifiers

ALT-PU-2021-1804
ALT-PU-2021-1886
ALT-PU-2021-1892
BDU:2021-02076
CESA-2021_1192
CESA-2021_1193
CVE-2021-23993
DLA-2632-1
DSA-4897-1
MGASA-2021-0189
OPENSUSE-SU-2021:0580-1
OPENSUSE-SU-2021_0580-1
OPENSUSE-SU-2024:10601-1
RHSA-2021:1190
RHSA-2021:1192
RHSA-2021:1193
RHSA-2021:1201
RHSA-2021_1192
RHSA-2021_1193
USN-4995-1
USN-4995-2

Affected Products

Alt Linux
Astra Linux
Centos
Linuxmint
Red Hat
Suse
Thunderbird
Ubuntu