VanDyke Sofware

Security Advisory

Security Advisory

VanDyke Software SecureCRT/SecureFX saved session password recovery.

Risk assessment: Low.


Posted: March 2, 2015

Description

SecureCRT and SecureFX allow individuals to save passwords as a convenience. If an individual chooses to save a password, it is stored encrypted within the session's .ini file. If an attacker then gains access to the session's .ini file, the password can be decrypted.

To be susceptible to this exposure, an individual must first choose to save passwords in SecureCRT/SecureFX. The option to save passwords is not enabled by default, and can be administratively disabled on Windows through ADM templates. Also, a hacker must gain access to session .ini files – at which point a compromise has already been established since the hacker can use saved sessions in SecureCRT/SecureFX to connect to hosts with saved credentials without discovering any passwords.

Products NOT Affected

  • SecureCRT/SecureFX 7.3.3 and newer versions for Windows, Mac OS X and supported Linux platforms.
  • SecureCRT version 1.0.5 and newer versions for iPad.
  • SecureCRT/SecureFX versions on Mac OS X configured to use keychain for saved credentials (using keychain is the default).
  • Any version of SecureCRT/SecureFX where users choose not to save passwords - or where saving passwords is administratively disabled (as per Windows ADM template).

Products Affected

  • SecureCRT/SecureFX 7.3.2 (for Windows, Mac OS X and supported Linux platforms) and earlier versions in which individuals have chosen to save passwords.
  • SecureCRT 7.3.2 (for Windows, Mac OS X and supported Linux platforms) and earlier versions in which encrypted passwords are specified on the command line using the /ENCRYPTEDPASSWORD option.
  • SecureCRT 1.0.4 and earlier versions for the iPad platform.

Recommended Solution

It is not generally a security "best practice" to save passwords - regardless of the application in use. An administrator for Windows versions of SecureCRT/SecureFX can prevent saving passwords by applying an ADM template via AD Group Policy. When such a policy is in place, VanDyke Software client products will not allow end users to save usernames and/or passwords. A VanDyke Software GPO template file can be requested via the following web page::

Individuals who have chosen to save passwords in SecureCRT/SecureFX on Windows, Mac OS X or Linux platforms should upgrade to version 7.3.3 or newer. Individuals who are already running 7.3.0 through 7.3.2 versions as well as those whose existing licenses are eligible for 7.3.x will be able to upgrade to 7.3.3 free of charge.

Individuals with SecureCRT 7.3.2 or older on Windows, Mac OS X or Linux platforms using the /ENCRYPTEDPASSWORD command line option should consider switching to public key authentication. If switching to public key authentication is not possible, these individuals should upgrade to version 7.3.3 or newer AND regenerate saved passwords using the new version of SecureCRT.

Individuals who have chosen to save passwords in SecureCRT for the iPad platform should upgrade to 1.0.5 or newer.

Vulnerability Fix Downloads

Technical Support

If you have any questions concerning upgrade eligibility in response to this security advisory, please send an email with your registered serial number to VanDyke Software Technical Support: support@vandyke.com. Alternatively, you can use the following web form to initiate contact:

Official Postings

http://boutique.ed-diamond.com/13-misc (Mar, 2015 publication of MISC magazine in French language)
http://synacktiv.com/en/resources.html

Revision History

March 31, 2015 - Download links made available for SecureCRT/SecureFX 7.3.3
March 2, 2015 - Security Advisory Published