Different vendors have different CVEs for specific security issues relevant to EFAIL, but there are two CVE numbers for the CBC and CFB gadget attacks: CVE-201717688: OpenPGP CFB gadget attacks and CVE-2017-17689: S/MIME CBC gadget attacks. The researchers stated that their analysis showed that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.
Synack’s CTO and Co-Founder Mark Kuhr pointed out that independent security researcher are advising people to stop using PGP, and the media is following suit. But his opinion is that this is a terrible idea. “This is like saying ‘your lock may not work, so leave your door wide open.’” Lee Neely on the editorial board of SANS NewsBites in Volume 20 Number 38 states it best “These flaws are relatively low risk as exploiting these vulnerabilities is tricky and relies on several things.”
Time will tell as to just how dangerous and exploitable these flaws are. Don’t read us wrong - should these flaws be addressed? Absolutely. We all need to implement mitigations (a number of which were outlined on the website), address correcting the clients, follow the CVEs and patches as available, and address the systemic fixes to PGP and S/MIME protocols. But we also need to address the underlying conflicts between usability and capability vs. security that are in our opinion at the root of this issue, and look toward making email more secure.
Sources: https://www.reuters.com/article/us-cyber-encryption/popularencrypted-email-standards-are-unsafe-european-researchersidUSKCN1IF1LL https://www.independent.co.uk/life-style/gadgets-and-tech/news/emailsecurity-s-mime-pgp-encryption-latest-broken-not-working-fix-how-toa8351116.html