Risk assessment: Low.
Posted: March 2, 2015
SecureCRT and SecureFX allow individuals to save passwords as a convenience. If an individual chooses to save a password, it is stored encrypted within the session's .ini file. If an attacker then gains access to the session's .ini file, the password can be decrypted.
To be susceptible to this exposure, an individual must first choose to save passwords in SecureCRT/SecureFX. The option to save passwords is not enabled by default, and can be administratively disabled on Windows through ADM templates. Also, a hacker must gain access to session .ini files – at which point a compromise has already been established since the hacker can use saved sessions in SecureCRT/SecureFX to connect to hosts with saved credentials without discovering any passwords.
Products NOT Affected
It is not generally a security "best practice" to save passwords - regardless of the application in use. An administrator for Windows versions of SecureCRT/SecureFX can prevent saving passwords by applying an ADM template via AD Group Policy. When such a policy is in place, VanDyke Software client products will not allow end users to save usernames and/or passwords. A VanDyke Software GPO template file can be requested via the following web page::
Individuals who have chosen to save passwords in SecureCRT/SecureFX on Windows, Mac OS X or Linux platforms should upgrade to version 7.3.3 or newer. Individuals who are already running 7.3.0 through 7.3.2 versions as well as those whose existing licenses are eligible for 7.3.x will be able to upgrade to 7.3.3 free of charge.
Individuals with SecureCRT 7.3.2 or older on Windows, Mac OS X or Linux platforms using the /ENCRYPTEDPASSWORD command line option should consider switching to public key authentication. If switching to public key authentication is not possible, these individuals should upgrade to version 7.3.3 or newer AND regenerate saved passwords using the new version of SecureCRT.
Individuals who have chosen to save passwords in SecureCRT for the iPad platform should upgrade to 1.0.5 or newer.
Vulnerability Fix Downloads
If you have any questions concerning upgrade eligibility in response to this security advisory, please send an email with your registered serial number to VanDyke Software Technical Support: firstname.lastname@example.org. Alternatively, you can use the following web form to initiate contact:
March 31, 2015 - Download links made available for SecureCRT/SecureFX 7.3.3
March 2, 2015 - Security Advisory Published