PGP/MIME encrypted messages injected into a Vaultive O365 frontend via IMAP or SMTP have their Content-Type changed from:
Content-Type: multipart/encrypted; protocol="application/pgp-encrypted"; boundary="abc123abc123"
to:
Content-Type: text/plain
This results in the encrypted message being structured in such a way that most PGP/MIME-capable mail user agents are unable to decrypt it cleanly.
The outcome is that encrypted mail passing through this device does not work (Denial of Service), and a common real-world consequence is a request to send re-send the mail in the clear (Information Disclosure).
Vaultive has acknowledged the issue and fixed this in version 4.5.21
CWE-222: Truncation of Security-relevant Information
Vaultive
Vaultive Office 365 Security - version 4.5.19
IMAP and SMTP interfaces to Vaultive O365 Security (other interfaces untested)
- Denial of Service
- Information Disclosure
The vulnerability is triggered by anyone sending PGP/MIME encrypted mail through a Vaultive appliance
Daniel Kahn Gillmor, ACLU