SUPPORT > SECURITY ADVISORIES

Got a question or comment?

Related Links

Secure Shell Solutions

White Papers

Evaluation

Security Advisories

Addressing vulnerabilities in a timely fashion is part of our commitment to providing responsive support to our customers. VanDyke Software works closely with security investigators and researchers at CERT and other organizations to evaluate announced vulnerabilities and determine whether they impact our products. When a vulnerability is found to affect one or more of our products, we make every effort to provide a fix as quickly as possible and alert our customers using our website and our product announcement lists.

Advisories 2008

December 2008
CPNI CPNI-957037	CPNI has released a security advisory describing a vulnerability in SSH that allows an attacker with control over the network to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. VShell® version 3.5.1 and earlier, SecureCRT® version 6.1.2 and earlier, SecureFX® version 6.1.2 and earlier, and VanDyke ClientPack 6.1.2 and earlier are potentially vulnerable to this attack.
	View Details

July 2008

Debian DSA-1571-1

Debian has released a security advisory describing a vulnerability in the random number generator used by the OpenSSL package included with the Debian GNU/Linux, Ubuntu, and other Debain-based operating systems.

Not Applicable to VanDyke Software products. However, it is recommended that you upgrade your Debian- and Ubuntu-based systems and then regenerate cryptographic key material as described in the advisory.

View Details

Advisories 2007

January 2007
CERT VU#845620	It is theoretically possible for an attacker to forge RSA signatures when the RSA key has a public exponent of three. SecureCRT^® version 5.2.1 and earlier, SecureFX^® version 4.0.1 and earlier, and VShell^® version 2.6.2 and earlier for Windows, Red Hat Linux, HP-UX, AIX, and Solaris are potentially vulnerable to this attack.
	View Details

Advisories 2006

March 2006
Secunia SA19040	In SecureCRT versions 5.0 through 5.0.4 and SecureFX versions 3.0 through 3.0.4, a buffer overflow was theoretically possible when a Unicode string was converted to a narrow string.
	View Details

Advisories 2005

August 2005

CERT VU#973635

In VShell versions 2.3.5 and earlier for Windows, when a host key is automatically created by VShell, the host key file inherits the permissions of its parent directory, potentially allowing access to authenticated users.

VShell version 2.3.6 will ensure that when a host key is automatically generated, the permissions on the host key file will be set such that only SYSTEM and members of the Administrators group will have access rights.

View Details

Advisories 2004

December 2004
BugTraq 12122	SecureCRT is reported prone to a remote denial of service vulnerability. It is reported that supplying an excessive string value to the application through the hostname field may trigger this vulnerability. Apparently, this causes the client application to crash. SecureCRT 4.0.9 and earlier may be vulnerable when SSH2 is used. SecureCRT 4.1 or newer provides a fix for SSH2 connections.
	View Details
November 2004
Secunia SA13275	Secunia Advisory - SecureCRT Arbitrary Configuration Folder Specification Vulnerability. CRT™ and SecureCRT 4.0 and 4.1 allow an arbitrary configuration folder to be specified to the "telnet:" URI handler via the "/F" command-line option. Successful exploitation allows execution of arbitrary commands via a malicious logon script with the privileges of the user running CRT or SecureCRT. This vulnerability is only applicable to users who have made CRT or SecureCRT their default Telnet client.
	View Details
September 2004
CERT VU#795632	CERT Vulnerability Note - Double-free errors may allow unauthenticated remote attackers to execute arbitrary code on KDC or clients.
CERT VU#866472	CERT Vulnerability Note - Double-free errors may allow authenticated attackers to execute arbitrary code on application servers.
CERT VU#550464	CERT Vulnerability Note - Remote denial-of-service vulnerability in the KDC and libraries. Not Applicable to VanDyke Software Products. CERT has released a security advisory affecting MIT Kerberos 5 versions 1.3.4 and earlier. Although VanDyke products are not affected, there may be installations of VShell within an MIT Kerberos 5 environment which support Kerberos authentications through GSSAPI. In such cases, administrators are strongly encouraged to update MIT Kerberos to a version later than 1.3.4.
	For more information on this vulnerability, including information regarding fixes for these vulnerabilities, please visit: MIT Kerberos Security Advisories
February 10, 2004
Microsoft MS04-007 US-CERT TA-04-041A	Microsoft has released a security bulletin (MS04-007) describing a vulnerability in the parsing of ASN.1 data that could result in remote code execution. US-CERT published an advisory on this vulnerability on February 10, 2004. Not Applicable to VanDyke Software products. It is, however, a critical vulnerability in affected versions of Windows for which Microsoft updates should be applied immediately.
	View Details

Advisories 2003

September 30, 2003

CERT VU#104280

CERT Vulnerability Note - Multiple vulnerabilities in SSL/TLS implementations

Not Applicable to VanDyke Software products. This vulnerability only affects products that use OpenSSL.

June 04, 2003
CERT VU#978316	CERT Vulnerability Note - A vulnerability in the OpenSSH daemon (sshd) may give remote attackers a better chance of gaining access to restricted resources.

March 25, 2003
CERT VU#997481	CERT Vulnerability Note - Timing Attack Vulnerabilities "Cryptographic libraries and applications do not adequately defend against timing attacks." SecureCRT 4.0.4 and earlier may be vulnerable when SSH1 is used. SSH2 connections are not affected by the vulnerability. No other VanDyke Software product is affected by this vulnerability. SecureCRT 4.0.9 or newer provides a fix for SSH1 connections.
	View Details

January 29, 2003
iDEFENSE	VanDyke Software released versions of it's client applications to eliminate a security issue that made login credentials transmitted by VanDyke secure clients vulnerable to discovery if an attacker were able to access memory or a memory dump on the local machine.
	View Details

Advisories 2002

July 25, 2002
BugTraq	VanDyke Software released SecureCRT version 3.4.8 and version SecureCRT 4.0.9 or newer to eliminate a security issue in SecureCRT 2.x, 3.x, 4.0 beta 2 or earlier. The issue made SecureCRT vulnerable to a buffer overflow attack which could allow malicious parties to execute arbitrary code when connecting to an SSH1 server that has been modified to perform this exploit. SSH2 connections are not affected by the vulnerability.
	View Details

December 16, 2002
CERT VU#389665	CERT Advisory CA-2002-36 Regarding SSH Vulnerabilities Not Applicable to VanDyke Software products.


	Products	Downloads	Purchase	Support	About Us
	VShell Server	VShell Server	Buy Direct	Evaluation	Contact
	SecureCRT	SecureCRT	License Pricing	Updates Policy	Press Releases
	SecureFX	SecureFX	About Encryption Export	FAQs	What's New
	VanDyke ClientPack	VanDyke ClientPack	Orders FAQ	Tips & How-Tos	Customer Stories
	Beta Software	Beta Software	Resellers	Forums	Secure Solutions
Site Map \| Legal Notices \| Privacy Policy \| Refund Policy VShell, SecureCRT, SecureFX, Entunnel, CRT, and AbsoluteFTP are trademarks or registered trademarks of VanDyke Software, Inc. in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners. Copyright © 1995 - VanDyke Software, Inc. All rights reserved.

About Encryption Export

Site Map | Legal Notices | Privacy Policy | Refund Policy

VShell, SecureCRT, SecureFX, Entunnel, CRT, and AbsoluteFTP are trademarks or registered trademarks of VanDyke Software, Inc. in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners.