GoAnywhere MFT – Not Affected by EFAIL

View some of the Frequently Asked Questions to our support staff. Included are some tips and tricks making this forum ideal for users getting started with GoAnywhere MFT. Note: Users can reply to existing topics but only our support staff can add new topics to this forum.
1 post Page 1 of 1

Support_Josh

User avatar
Posts: 11
Joined: Thu Feb 16, 2017 11:20 am

Post by Support_Josh » Tue May 15, 2018 12:19 pm
Question:
Is GoAnywhere MFT or any components of the software susceptible to the recent OpenPGP & S/MIME vulnerabilities?

Answer:
In light of the recent OpenPGP & S/MIME warning (EFAIL), HelpSystems has performed a software security review of GoAnywhere Managed File Transfer (GoAnywhere) to ensure our customers are not affected by this vulnerability. The review has yielded positive results and demonstrates that GoAnywhere is already protected from EFAIL.

The EFAIL warning identifies a weakness with encrypted emails, and how secure content can be exfiltrated. The weakness can be further exploited by using the CBC/CFB gadget attack on OpenPGP encrypted MIME parts. An attacker may intercept and alter an encrypted email and add specially crafted HTML MIME parts which will cause vulnerable email clients to send decrypted data to an external party.

While GoAnywhere can process OpenPGP encrypted files, it does not support OpenPGP encrypted emails. GoAnywhere is not affected by the CBC/CFB gadget attack on OpenPGP and S/MIME. GoAnywhere uses standard SSL/TLS to decrypt email messages. When messages are retrieved from a mail server, GoAnywhere maintains a separation between MIME parts, writing each part to their own unique file. Additionally, GoAnywhere does not evaluate or render HTML emails; thus, mitigating the risk of a direct exfiltration attack.

The GoAnywhere team is dedicated to the continued stability and security of its products. Security reviews will be performed as new information is published.
Joshua Przybysz
Senior Support Analyst
e. goanywhere.support@helpsystems.com
p. 1.800.949.4696
w. HelpSystems.com
1 post Page 1 of 1