EFAIL Report and Symantec Email Encryption products
Article ID: 150870
Updated On:
Products
Issue/Introduction
EFAIL Report and Symantec Email Encryption products
Resolution
Symantec received a report of a potential vulnerability in encrypted S/MIME and OpenPGP standards and how it relates to the Symantec Encryption products.
Symantec has included a fix for this report in the following encryption products:
Symantec Encryption Management Server 3.4.2 HF1 and above
Symantec Encryption Desktop 10.4.2 HF1 and above
Symantec PGP Command Line 10.4.2 HF1 and above
For information on how to download Symantec Encryption products, see the following article:
193931 - How to download Symantec Encryption products from the Broadcom download Portal (And where to find the license number for PGP)
There were reports that uninstalling Encryption software is recommended to mitigate EFAIL--This is incorrect and should not be done. If updating to the above versions is not immediately possible, Symantec recommends that you leave the PGP Encryption software installed and that you continue to encrypt sensitive data.
Always ensure you have security software, such as Symantec Endpoint Protection installed on your systems to mitigate against Efail.
Uninstalling Encryption software puts data in a much lower security posture and greater risk of data compromise.
Symantec recommends that you disable the “download images” feature in the mail clients if not neededd.
For more information on how to configure this feature in Outlook, review the Microsoft document:
Third-party location of the report:
https://efail.de/
Related CVE Reports (Information not yet populated):
CVE-2017-17688: OpenPGP CFB gadget attacks
CVE-2017-17689: S/MIME CBC gadget attacks
Notes:
If you are experiencing issues decrypting PGPzip files or decrypting emails, refer to the links in the "Additional Information" section for more guidance.
Additional Information
Feedback
