search cancel

EFAIL Report and Symantec Email Encryption products

book

Article ID: 150870

calendar_today

Updated On:

Products

Desktop Email Encryption Encryption Management Server PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Drive Encryption Endpoint Encryption File Share Encryption Gateway Email Encryption

Issue/Introduction

EFAIL Report and Symantec Email Encryption products

Resolution

Symantec received a report of a potential vulnerability in encrypted S/MIME and OpenPGP standards and how it relates to the Symantec Encryption products. 

Symantec has included a fix for this report in the following encryption products:
 
Symantec Encryption Management Server 3.4.2 HF1 and above
Symantec Encryption Desktop 10.4.2 HF1 and above
Symantec PGP Command Line 10.4.2 HF1 and above


For information on how to download Symantec Encryption products, see the following article:

193931 - How to download Symantec Encryption products from the Broadcom download Portal (And where to find the license number for PGP)

 

There were reports that uninstalling Encryption software is recommended to mitigate EFAIL--This is incorrect and show not be done.  If updating to the above versions is not immediately possible, Symantec recommends that you leave Encryption software installed, and that you continue to encrypt sensitive data.  Always ensure you have security software, such as Symantec Endpoint Protection installed on your systems to mitigate against Efail.  Uninstalling Encryption software puts data in a much lower security posture and greater risk of data compromise.  Symantec recommends that you disable the “download images” feature in the mail clients.

For more information on how to configure this feature in Outlook, review the Microsoft document:

 
Third-party location of the report:
https://efail.de/

Related CVE Reports (Information not yet populated):
CVE-2017-17688: OpenPGP CFB gadget attacks
CVE-2017-17689: S/MIME CBC gadget attacks

Notes:
If you are experiencing issues decrypting PGPzip files or decrypting emails, refer to the links in the "Additional Information" section for more guidance.

Additional Information

150870 - EFAIL Report and Symantec Email Encryption products

173550 - Unable to decrypt email after installing Encryption Desktop (PGP Desktop) 10.4.2 HF1 or above

173613 - Unable to decrypt PGP Zip files after installing Encryption Desktop (PGP Desktop) 10.4.2 HF1 or above