Filter by Category

GoAnywhere MFT Not Affected by EFAIL Vulnerabilities

goanywhere MFT already prevents EFAIL vulnerabilities

Ashland, NE, May 16, 2018

In light of the recent Open PGP & S/MIME warning (EFAIL), GoAnywhere has performed a software security review of its managed file transfer solution to ensure customers and their encrypted emails are not affected by this vulnerability. The review was positive and demonstrates that GoAnywhere MFT is already protected from EFAIL.

The EFAIL warning identifies a weakness with encrypted emails and how secure content can be exfiltrated. The weakness can be further exploited by using the CBC/CFB gadget attack on Open PGP encrypted MIME parts. An attacker may intercept and alter an encrypted email and add specially crafted HTML MIME parts, which causes vulnerable email clients to send decrypted data to an external party.

While GoAnywhere MFT can process Open PGP encrypted files, it does not support Open PGP encrypted emails. GoAnywhere is not affected by the CBC/CFB gadget attack on Open PGP and S/MIME. Instead, the software uses standard SSL/TLS to decrypt email messages. When messages are retrieved from a mail server, GoAnywhere maintains a separation between MIME parts, writing each part to their own unique file.

Additionally, the software does not evaluate or render HTML emails, mitigating the risk of a direct exfiltration attack.

The GoAnywhere team is dedicated to the continued stability and security of its products. Further security reviews will be performed as new information is published.

Latest Posts


What is SOC 2 and Why it Matters for Security

December 2, 2021

What is SOC 2, and does it apply to your organization? Discover the SOC 2 security compliance requirements, and how you can meet them.


What is Zero Knowledge Encryption?

November 30, 2021

Encryption holds the key to securing sensitive data. Learn a bit about zero knowledge encryption as well as the secure options a managed file transfer solution offers.


What is the DROWN Attack?

November 24, 2021

The DROWN Attack is a serious vulnerability that affects HTTPS and other servers that rely on SSL/TLS. Learn more about it in our blog and how to know if your server is vulnerable.


Developing a Plan for Data Risk Management

November 18, 2021

Does your organization have a data and risk management strategy in place? Here’s what to watch for and how you can develop a data risk management plan.


What Are Self-Service MFT Capabilities?

November 16, 2021

Self-service MFT capabilities help to provide more visibility into data movements through the use of the Business Activity Monitoring Dashboard (BAM). Learn more about BAM in our blog.