VanDyke Sofware

Security Advisories

Security Advisories

Addressing vulnerabilities in a timely fashion is part of our commitment to providing responsive support to our customers. VanDyke Software works closely with security investigators and researchers at CERT and other organizations to evaluate announced vulnerabilities and determine whether they impact our products. When a vulnerability is found to affect one or more of our products, we make every effort to provide a fix as quickly as possible and alert our customers using our website and our product announcement lists.

Advisories 2017


March 2017  
  Impact of the Python 2.7.9 CVE-2016-5699 vulnerability in SecureCRT
CVE-2016-5699 View Details
   

Advisories 2015


March 2015  
  VanDyke Software SecureCRT/SecureFX saved session password recovery
  View Details
   
February 2015  
  GHOST gethostbyname() Heap Overflow in glibc (CVE-2015-0235)
CVE-2015-0235 View Details
   

Advisories 2014


October 2014  
US-CERT TA14-290A VanDyke Software products and the POODLE attack (SSL 3.0 Vulnerability)
  View Details
   

CVE-2014-7169
US-CERT TA14-268A

The GNU Bourne-Again Shell (Bash) 'Shellshock' vulnerability is not applicable to VShell. VShell does not set the environment variable necessary for the exploit to be possible.

   
May 2014

Impact of the OpenSSL Heartbleed Vulnerability on SecureCRT, SecureFX, and the VanDyke ClientPack

CVE-2014-0160

View Details
   
April 2014

VShell FTPS and the OpenSSL Heartbleed Vulnerability

CVE-2014-0160

View Details
   
April 2014

Dual_EC_DRBG and Extended Random (ER) algorithms not used in VanDyke Software products.

  View Details
   

Advisories 2008


December 2008  
CPNI CPNI-957037

CPNI has released a security advisory describing a vulnerability in SSH that allows an attacker with control over the network to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. VShell® version 3.5.1 and earlier, SecureCRT® version 6.1.2 and earlier, SecureFX® version 6.1.2 and earlier, and VanDyke ClientPack 6.1.2 and earlier are potentially vulnerable to this attack.

  View Details
July 2008  
Debian DSA-1571-1

Debian has released a security advisory describing a vulnerability in the random number generator used by the OpenSSL package included with the Debian GNU/Linux, Ubuntu, and other Debain-based operating systems.

Not Applicable to VanDyke Software products. However, it is recommended that you upgrade your Debian- and Ubuntu-based systems and then regenerate cryptographic key material as described in the advisory.

  View Details

Advisories 2007


January 2007  
CERT VU#845620

It is theoretically possible for an attacker to forge RSA signatures when the RSA key has a public exponent of three. SecureCRT® version 5.2.1 and earlier, SecureFX® version 4.0.1 and earlier, and VShell® version 2.6.2 and earlier for Windows, Red Hat Linux, HP-UX, AIX, and Solaris are potentially vulnerable to this attack.

  View Details

Advisories 2006


March 2006  
Secunia SA19040

In SecureCRT versions 5.0 through 5.0.4 and SecureFX versions 3.0 through 3.0.4, a buffer overflow was theoretically possible when a Unicode string was converted to a narrow string.

  View Details

Advisories 2005


August 2005  
CERT VU#973635

In VShell versions 2.3.5 and earlier for Windows, when a host key is automatically created by VShell, the host key file inherits the permissions of its parent directory, potentially allowing access to authenticated users.

VShell version 2.3.6 will ensure that when a host key is automatically generated, the permissions on the host key file will be set such that only SYSTEM and members of the Administrators group will have access rights.

  View Details

Advisories 2004


December 2004  
BugTraq 12122

SecureCRT is reported prone to a remote denial of service vulnerability. It is reported that supplying an excessive string value to the application through the hostname field may trigger this vulnerability. Apparently, this causes the client application to crash.

SecureCRT 4.0.9 and earlier may be vulnerable when SSH2 is used. SecureCRT 4.1 or newer provides a fix for SSH2 connections.

  View Details
November 2004  
Secunia SA13275

Secunia Advisory - SecureCRT Arbitrary Configuration Folder Specification Vulnerability. CRT™ and SecureCRT 4.0 and 4.1 allow an arbitrary configuration folder to be specified to the "telnet:" URI handler via the "/F" command-line option. Successful exploitation allows execution of arbitrary commands via a malicious logon script with the privileges of the user running CRT or SecureCRT. This vulnerability is only applicable to users who have made CRT or SecureCRT their default Telnet client.

  View Details
September 2004  
CERT VU#795632 CERT Vulnerability Note - Double-free errors may allow unauthenticated remote attackers to execute arbitrary code on KDC or clients.
CERT VU#866472 CERT Vulnerability Note - Double-free errors may allow authenticated attackers to execute arbitrary code on application servers.
CERT VU#550464

CERT Vulnerability Note - Remote denial-of-service vulnerability in the KDC and libraries.

Not Applicable to VanDyke Software Products. CERT has released a security advisory affecting MIT Kerberos 5 versions 1.3.4 and earlier. Although VanDyke products are not affected, there may be installations of VShell within an MIT Kerberos 5 environment which support Kerberos authentications through GSSAPI. In such cases, administrators are strongly encouraged to update MIT Kerberos to a version later than 1.3.4.

  For more information on this vulnerability, including information regarding fixes for these vulnerabilities, please visit: MIT Kerberos Security Advisories
February 10, 2004  

Microsoft MS04-007

US-CERT
TA-04-041A

Microsoft has released a security bulletin (MS04-007) describing a vulnerability in the parsing of ASN.1 data that could result in remote code execution.

US-CERT published an advisory on this vulnerability on February 10, 2004.

Not Applicable to VanDyke Software products. It is, however, a critical vulnerability in affected versions of Windows for which Microsoft updates should be applied immediately.

 

View Details

Advisories 2003


September 30, 2003  
CERT VU#104280

CERT Vulnerability Note - Multiple vulnerabilities in SSL/TLS implementations

Not Applicable to VanDyke Software products. This vulnerability only affects products that use OpenSSL.

 

 

June 04, 2003  
CERT VU#978316

CERT Vulnerability Note - A vulnerability in the OpenSSH daemon (sshd) may give remote attackers a better chance of gaining access to restricted resources.

 

 

March 25, 2003  
CERT VU#997481

CERT Vulnerability Note - Timing Attack Vulnerabilities
"Cryptographic libraries and applications do not adequately defend against timing attacks." SecureCRT 4.0.4 and earlier may be vulnerable when SSH1 is used. SSH2 connections are not affected by the vulnerability. No other VanDyke Software product is affected by this vulnerability. SecureCRT 4.0.9 or newer provides a fix for SSH1 connections.

 

View Details

January 29, 2003
iDEFENSE

VanDyke Software released versions of it's client applications to eliminate a security issue that made login credentials transmitted by VanDyke secure clients vulnerable to discovery if an attacker were able to access memory or a memory dump on the local machine.

 

View Details

Advisories 2002


July 25, 2002  
BugTraq

VanDyke Software released SecureCRT version 3.4.8 and version SecureCRT 4.0.9 or newer to eliminate a security issue in SecureCRT 2.x, 3.x, 4.0 beta 2 or earlier. The issue made SecureCRT vulnerable to a buffer overflow attack which could allow malicious parties to execute arbitrary code when connecting to an SSH1 server that has been modified to perform this exploit. SSH2 connections are not affected by the vulnerability.

 

View Details

December 16, 2002  
CERT VU#389665

CERT Advisory CA-2002-36 Regarding SSH Vulnerabilities

Not Applicable to VanDyke Software products.