VanDyke Software

Security Advisory

Security Advisory

CPNI has released a security advisory describing a vulnerability in SSH that allows an attacker with control over the network to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration.


Posted: December 2, 2008

Description

The advisory recommends using the AES cipher in CTR mode rather than CBC mode. VShell for some platforms, SecureCRT, SecureFX, and the VanDyke ClientPack for some platforms now prefer the AES cipher in CTR mode by default.

Affected Software Versions

VShell 3.5.1 and earlier
SecureCRT 6.1.2 and earlier
SecureFX 6.1.2 and earlier
VanDyke ClientPack 6.1.2 and earlier

Vulnerability Fix Downloads

VShell 3.5.2 for Windows, FreeBSD, and Mac OS X*
SecureCRT 6.1.3 or later
SecureFX 6.1.3 or later VanDyke
ClientPack 6.1.3 for Windows, FreeBSD, and Mac OS X*

*Please contact VanDyke Software technical support if you are using VShell or the ClientPack for AIX, HP-UX, Red Hat for Linux, or Solaris.

Technical Support

If you have any questions concerning upgrade eligibility in response to this security advisory, please contact VanDyke Software.
 

Official Postings

CPNI published an advisory on this vulnerability on 11/14/2008. This advisory is no longer available on the CPNI website.
 

Revision History

December 2, 2008 - Security Advisory published.