|
Posted: January 29, 2003
Description
iDEFENSE, a security analysis firm, has reported that VanDyke
Software Inc.'s SecureCRT® does not properly scrub
memory, allowing an attacker with access to memory or a memory
dump to retrieve authentication information.
An attacker can
search memory or a
memory dump on the local machine for login credentials.
Passwords
transmitted by SecureCRT can be found by searching for the string
"
ssh-connection". The login and password are stored in plain-text
on the
respective sides of this keyword.
An attacker that is able to ascertain a target user's
memory dump
will be able to recover passwords for remote systems. This is of
special
concern in shared environments. If a user suspects that his or
her login credentials have been
compromised then he or she should immediately change them.
This vulnerability
exists in the
following versions of VanDyke Software client applications:
SecureCRT: 4.0.2 and 3.4.7
SecureFX® : 2.1.2 and 2.0.4
Entunnel™ : 1.0.2 and earlier
Earlier versions of these client applications are vulnerable
as well. VanDyke encourages all users whose licenses were purchased
prior to June 1, 2000 to consider upgrading to the current version(s)
of their licensed applications.
|
Revised versions of SecureCRT are available for registered
users of versions 3.4.x and 4.0.x. VanDyke recommends
that all users of these versions upgrade immediately
to
the
available
revisions.
|
Users who purchased licenses on or after June 1, 2001 may
download either
SecureCRT 3.4.8 or SecureCRT 4.0.9.
Users who purchased licenses prior to June 1, 2001 should
download SecureCRT 3.4.8.
Users who purchased licenses prior to June 1, 2000 should
consider upgrading to version 4.1.x.
|
|
Revised versions of SecureFX are available for registered
users of versions 2.0.x and 2.1.x. VanDyke recommends
that all users of these versions upgrade immediately to
the available revisions.
|
Users who purchased licenses on or after June 1, 2001
may download either
SecureFX 2.0.5 or SecureFX 2.1.8.
Users who purchased licenses on or after June 1, 2000 should download
SecureFX 2.0.5.
Users who purchased licenses prior to June 1, 2000 should consider upgrading
to version 2.2.x.
|
|
A revised version of Entunnel is available for all registered
users. VanDyke recommends
that all users upgrade immediately to
this revision.
|
All Entunnel users should download Entunnel 1.1.2.
|
| |
|
Affected Software Versions
|
SecureCRT 4.0.2 or earlier
SecureCRT 3.x official
SecureCRT 2.x official
SecureFX 2.1.x
SecureFX 2.0.x
SecureFX 1.9.x
Entunnel 1.x
|
| |
|
Vulnerability Fix Downloads
|
SecureCRT 4.1.x - http://www.vandyke.com/download/securecrt/4.1/index.html
SecureCRT 4.0.9 - http://www.vandyke.com/download/securecrt/4.0/index.html
SecureCRT 3.4.8 - http://www.vandyke.com/download/securecrt/3.4/index.html
SecureFX 2.2.x - http://www.vandyke.com/download/securefx/2.2/index.html
SecureFX 2.1.8 - http://www.vandyke.com/download/securefx/2.1/index.html
SecureFX 2.0.5 - http://www.vandyke.com/download/securefx/2.0/index.html
Entunnel 1.1.2 - http://www.vandyke.com/download/entunnel/index.html
|
| |
|
Technical Support
|
For further information on the security advisory, please contact VanDyke Software. |
| |
|
Official Postings
|
The original notification of this vulnerability
was made to VanDyke Software by iDefense
on January 10, 2003 and was announced publicly on January
29, 2003.
VanDyke posted this page on January 29, 2003.
|
| |
|
Revision History
|
January 29, 2003 - Security
Advisory published.
February 20, 2003 - Security Advisory updated.
March 20, 2003 - Security Advisory updated.
|
|
