VanDyke Software

Security Advisory

Security Advisory — SecureCRT® 2.x, 3.x, 4.0.x

 

SecureCRT is reported prone to a remote denial of service vulnerability. It is reported that supplying an excessive string value to the application through the hostname field may trigger this vulnerability. Apparently, this causes the client application to crash.

SecureCRT 4.0.9 and earlier may be vulnerable when SSH2 is used. SecureCRT 4.1 or newer provides a fix for SSH2 connections.


Posted: January 14, 2005

Description

The remote denial of service vulnerability described in this advisory is a denial of service on the local machine caused by SecureCRT crashing if an attempt is made to connect to an SSH2 session with an excessively long hostname. The remote machine is not affected by this vulnerability.

Affected Software Versions

SecureCRT 4.0.x official
SecureCRT 3.x official
SecureCRT 2.x official
 

Vulnerability Fix Downloads

SecureCRT 4.1 - http://www.vandyke.com/download/securecrt/download.html
 

Technical Support

For further information on the security advisory, please contact VanDyke Software.
 

BugTraq Postings

The original posting of this vulnerability was made to BugTraq on December 29, 2004.
VanDyke posted this page on January 14, 2005.
 

Revision History

January 14, 2005 - Security Advisory published.