search cancel

EFAIL Report and Symantec Email Encryption products

book

Article ID: 150870

calendar_today

Updated On:

Products

Desktop Email Encryption Encryption Management Server

Issue/Introduction

 

Resolution

Symantec received a report of a potential vulnerability in encrypted S/MIME and OpenPGP standards and how it relates to the Symantec Encryption products. 

Symantec has included a fix for this report in the following encryption products:
 
Symantec Encryption Management Server 3.4.2 HF1
Symantec Encryption Desktop 10.4.2 HF1
Symantec PGP Command Line 10.4.2 HF1

Update August 10, 2018: This fix is also included in Symantec Encryption Management Server 3.4.2 MP1 and Symantec Encryption Desktop 10.4.2 MP1 and above.

These products can be downloaded via fileconnect.

There have been reports that uninstalling Encryption software is recommended to mitigate EFAIL.  If updating to the above versions is not immediately possible, Symantec recommends that you leave Encryption software installed, and that you continue to encrypt sensitive data.  Uninstalling Encryption software puts data in a much lower security posture.  Symantec recommends that you disable the “download images” feature in the mail clients.

For more information on how to configure this feature in Outlook, review the Microsoft document:

https://support.office.com/en-us/article/block-or-unblock-automatic-picture-downloads-in-email-messages-15e08854-6808-49b1-9a0a-50b81f2d617a  

Third-party location of the report:
https://efail.de/

Related CVE Reports (Information not yet populated):
CVE-2017-17688: OpenPGP CFB gadget attacks
CVE-2017-17689: S/MIME CBC gadget attacks

Notes:
If you are experiencing issues decrypting PGPzip files, or other encrypted files after upgrading to Symantec Encryption Desktop 10.4.2 HF1 or above, please see article TECH253087.

If you are experiencing issues decrypting emails automatically after upgrading to Symantec Encryption Desktop 10.4.2 HF1 or above, please see article TECH252997.