CVE-2018-18509 — Improper Verification of Cryptographic Signature in Mozilla Thunderbird

CWE-347 — Improper Verification of Cryptographic Signature CWE-451 — User Interface (UI) Misrepresentation of Critical Information11 documents7 sources

Severity

5.3MEDIUMNVD

OSV7.8OSV5.5

EPSS

0.3%

top 51.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Linux Kernel Debian Thunderbird

Timeline

PublishedApr 26

Latest updateMay 24

Description

A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

▶debiandebian/thunderbird< thunderbird 1:60.5.1-1 (bookworm)

▶CVEListV5mozilla/thunderbirdunspecified — 60.5.1

▶NVDmozilla/thunderbird< 60.5.1

▶Debianmozilla/thunderbird< 1:60.5.1-1+3

▶Ubuntumozilla/thunderbird< 1:60.5.1+build2-0ubuntu0.14.04.1+2

🔴Vulnerability Details

GHSA

GHSA-pqr9-248w-h9pf: A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the show↗2022-05-24

▶

OSV

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities↗2019-10-01

▶

OSV

CVE-2018-18509: A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the show↗2019-04-26

▶

OSV

thunderbird vulnerabilities↗2019-02-26

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2019-02-26

▶

Red Hat

thunderbird: flaw in verification of S/MIME signature resulting in signature spoofing↗2019-02-14

▶

Debian

CVE-2018-18509: thunderbird - A flaw during verification of certain S/MIME signatures causes emails to be show...↗2018

▶

💬Community

Bugzilla

CVE-2018-18509 thunderbird: flaw in verification of S/MIME signature resulting in signature spoofing↗2019-02-15

▶

Bugzilla

CVE-2018-18509 thunderbird: flaw in verification of S/MIME signature resulting in signature spoofing [fedora-all]↗2019-02-15

▶

Bugzilla

Wrong Thunderbird S/MIME signature status shown, if CMS signed data has data content.↗2018-11-14

▶