CVE-2023-0547 in Thunderbird
Summary
by MITRE • 06/02/2023
OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug. This vulnerability affects Thunderbird < 102.10.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/09/2025
The vulnerability described in CVE-2023-0547 represents a critical flaw in the S/MIME email security implementation within Mozilla Thunderbird email client. This issue fundamentally undermines the certificate validation process that is essential for maintaining secure email communications. The vulnerability specifically targets the Online Certificate Status Protocol validation mechanism, which is a critical component for verifying the current status of digital certificates used in email encryption. When certificates are revoked, they should no longer be trusted for secure communications, yet this flaw allowed revoked certificates to be accepted during S/MIME encrypted email transmission. The affected versions span from Thunderbird 68 through 102.9.1, with the vulnerability persisting until version 102.9.1, leaving a substantial user base exposed to potential security risks. This represents a failure in the certificate validation lifecycle that directly impacts the integrity of encrypted email communications and could enable man-in-the-middle attacks or unauthorized access to sensitive information.
The technical flaw manifests in the improper handling of certificate revocation status checks during S/MIME email processing. When Thunderbird processes S/MIME encrypted emails, it should verify that the recipient's certificate has not been revoked through the OCSP protocol before accepting it for encryption. However, this validation step was completely bypassed, allowing attackers to use revoked certificates for email encryption. This vulnerability falls under the category of improper certificate validation, which is categorized as CWE-295 in the Common Weakness Enumeration framework. The flaw essentially creates a trust boundary violation where revoked certificates are treated as valid, undermining the entire public key infrastructure that S/MIME relies upon for secure communications. The implementation error likely occurred in the S/MIME certificate validation subsystem, where the code path for checking certificate status was either missing or incorrectly bypassed during the email sending process.
The operational impact of this vulnerability is severe and multifaceted across enterprise and individual email security environments. Organizations relying on S/MIME encryption for confidential communications could be compromised if revoked certificates were used to establish secure email sessions. This vulnerability creates a potential attack vector where malicious actors could exploit the lack of certificate validation to intercept or manipulate encrypted communications. The risk is particularly elevated in environments where certificate management policies are strict and revoked certificates should never be trusted. From an attacker's perspective, this vulnerability aligns with techniques described in the MITRE ATT&CK framework under the T1552 category for unsecured credentials, as it allows for the exploitation of compromised certificates that should have been invalidated. The vulnerability also impacts the principle of least privilege in secure communications, as it allows for the acceptance of certificates that should have been explicitly denied due to their revoked status, potentially enabling credential theft or information disclosure attacks.
The recommended mitigations for CVE-2023-0547 involve immediate upgrading to Thunderbird version 102.10 or later, which contains the necessary patches to restore proper OCSP validation for recipient certificates. Organizations should also implement comprehensive certificate management policies that include regular monitoring of certificate revocation status and ensure that revoked certificates are promptly removed from trust stores. System administrators should conduct thorough security assessments of their email infrastructure to identify any potential exploitation attempts that may have occurred during the vulnerability window. Additionally, organizations should consider implementing network-based certificate validation monitoring tools that can detect anomalous certificate usage patterns. The fix addresses the core validation logic issue by ensuring that OCSP checks are properly executed before certificate acceptance, aligning with industry best practices for certificate validation as outlined in RFC 5280 and the PKIX certificate validation standards. Regular security audits of email client configurations and certificate trust policies should be conducted to prevent similar issues in other security components that rely on certificate validation for secure communications.