VanDyke Software

Security Advisory

Security Advisory

Impact of the OpenSSL Heartbleed Vulnerability on SecureCRT, SecureFX, and the VanDyke ClientPack


Posted: May 1, 2014

Description

VanDyke ClientPack
The VanDyke ClientPack is not affected by the Heartbleed vulnerability. Regardless of platform and version, the VanDyke ClientPack does not provide SSL/TLS connectivity.

SecureCRT
SecureCRT is not affected by the Heartbleed vulnerability. SecureCRT for Windows provides TLS/SSL connectivity (Telnet over SSL protocol), but it does not use any OpenSSL libraries. SecureCRT for supported UNIX platforms does not provide support for Telnet over SSL protocol.

SecureFX

Windows
SecureFX on the Windows platform is not affected by the Heartbleed vulnerability. SecureFX for Windows provides TLS/SSL connectivity, but it does not use any OpenSSL libraries.

Mac/Linux
SecureFX for supported Mac/Linux platforms uses OpenSSL for FTPS protocol support and may be vulnerable to the Heartbleed vulnerability:

  • On Mac OS X, SecureFX versions 7.2.0 through 7.2.3 use and ship with a version of OpenSSL that is vulnerable to the Heartbleed bug. The SecureFX 7.2.4 maintenance release addresses this by shipping with a version of OpenSSL (1.0.1g) that contains the fix for the Heartbleed bug. Besides 7.2.0 through 7.2.3, no other SecureFX versions are affected on the Mac OS X platform.
  • On Ubuntu 12/13 and RHEL 6, SecureFX versions 7.2.0 through 7.2.3 dynamically link OpenSSL version 1.0.1. This means that SecureFX will load the version of OpenSSL 1.0.1 that is installed on the system. On these platforms, it is highly recommended that the OpenSSL version be upgraded to the non-vulnerable 1.0.1g version. Upgrading SecureFX is not necessary on these platforms, but SecureFX will need to be restarted after an OpenSSL upgrade so the non-vulnerable version will be loaded.

In addition to upgrading SecureFX or OpenSSL on vulnerable systems, it is recommended that any SSL certificates, including associated private keys, used by SecureFX be replaced and user passwords should be changed.

Operating SystemOpenSSL VersionLinkedVulnerable?Action
Windows Not UsedN/ANoNone
Ubuntu and RHEL1.0.1DynamicPossibleUpgrade OpenSSL on OS to a non-vulnerable version
Mac OS X1.0.1Static
(SecureFX 7.2.0 through 7.2.3 only)
YesUpgrade to SecureFX 7.2.4 or later

Official Postings

CERT published an advisory on this vulnerability on April 7, 2014.

CODENOMICON published an advisory on this vulnerability on April 15, 2014.

Revision History

May 1, 2014 - Security Advisory published.