VanDyke Software

Security Advisory

Security Advisory

VanDyke Software products and the POODLE attack (SSL 3.0 Vulnerability)


Posted: November 4, 2014

Overview

A vulnerabilty has been found in SSL 3.0 specific to the way padding is handled for block-mode ciphers. Authors of the POODLE attack have shown how information encrypted in SSL 3.0 can be recovered/decrypted by exploiting this design flaw.

Official versions of VShell 4.0.5 and SecureCRT/SecureFX 7.3.1 will be released in the near future to address this vulnerability for connection protocols that rely on SSL/TLS. To receive pre-release versions of these products which disable SSL 3.0 protocol negotiation, please contact VanDyke Software technical support: support@vandyke.com

Products NOT Affected

  • VShell (SSH2/SFTP). The POODLE attack is not applicable to VShell (SSH2/SFTP) because SSL is not used regardless of platform/version.
  • SecureCRT for Mac and Linux platforms. SecureCRT for Mac/Linux platforms is not affected because Telnet/SSL is not a protocol choice available in SecureCRT for these platforms.
  • VanDyke ClientPack. VanDyke ClientPack utilities do not provide SSL connectivity.

Products Affected

  • VShell FTPS for Windows and UNIX platforms -- FTPS protocols only (the POODLE attack is not applicable to SSH2/SFTP protocols).
  • SecureCRT for Windows platforms, only when the "Telnet/SSL" protocol is in use -- all other connectivity protocols in SecureCRT are NOT AFFECTED by the POODLE SSL 3.0 vulnerability.
  • SecureFX (including the SFXCL command line utility) on all supported platforms, only when the "FTPS (implicit)" or the "FTPS (explicit)" protocols are used. All other connectivity protocols in SecureFX are NOT AFFECTED by the POODLE SSL 3.0 vulnerability.

Recommended Solution

Wherever possible, SSL 3.0 should be disabled. Legacy clients/servers that only support SSL 3.0 should be updated to support TLS protcol versions that aren't vulnerable.

SecureCRT and SecureFX 7.3.1 and newer versions for all supported platforms will not allow SSLv3 in any Telnet/SSL or FTPS protocol negotiations.

We recommend that individuals running SecureCRT/SecureFX versions prior to 7.3.1 who depend on FTPS or Telnet/SSL connectivity upgrade to version 7.3.1 or newer as soon as possible.

VShell FTPS version 4.0.5 and newer for all supported platforms will not allow SSLv3 in any FTPS protocol negotiations.

We recommend that individuals running VShell FTPS versions prior to 4.0.5 upgrade to version 4.0.5 or newer as soon as possible.

Official Postings

CERT published an advisory on this vulnerability on October 17, 2014.

Revision History

November 4, 2014 - Security Advisory published.