VanDyke Software

Security Advisory

Security Advisory — SecureCRT® 2.x, 3.x, 4.0


VanDyke Software has released SecureCRT version 3.4.8 and version SecureCRT 4.0.9 or newer, to eliminate a security issue in SecureCRT 2.x, 3.x, 4.0 beta 2 or earlier. The issue made SecureCRT vulnerable to a buffer overflow attack which could allow malicious parties to execute arbitrary code when connecting to an SSH1 server that has been modified to perform this exploit. SSH2 connections are not affected by the vulnerability.

Posted: July 25, 2002


The vulnerability allows the attacker to execute arbitrary code on the machine where SecureCRT resides. When SecureCRT connects to an SSH1 server, the server sends a version string containing minor and major numbers for the protocol, as well as a server-specific identifier string which is specified to be no more than 40 bytes long. The SecureCRT code which handles errors relating to an unsupported protocol version contains an unchecked buffer overflow when dealing with this identifier string sent from a server that has been modified to exploit this vulnerability.

This vulnerability is specific to SSH1 connections. SSH2 server connections do not share this vulnerability.

SSH2 offers substantially greater security than SSH1. VanDyke Software recommends that all SSH1 users switch to SSH2 connections if possible. Further, those users who do not have an SSH2 server currently available are encouraged to make plans to migrate to SSH2 as soon as possible.

Revised versions of SecureCRT are available for all registered users. VanDyke recommends that all users of versions 2.x and 3.x upgrade immediately to the available revisions.

Users who purchased licenses on or after June 1, 2001 may download either
SecureCRT 3.4.8 or SecureCRT 4.0.9.
Users who purchased licenses prior to June 1, 2001 should download SecureCRT 3.4.8.
Users who purchased licenses prior to July 1, 2000 should download SecureCRT 3.3.4.
Users who purchased licenses prior to January 1, 2000 should download SecureCRT 3.2.2.


Affected Software Versions

SecureCRT 4.0 beta 2 or earlier
SecureCRT 3.x official
SecureCRT 2.x official

Vulnerability Fix Downloads

SecureCRT 4.0.9 -
SecureCRT 3.4.8 -
SecureCRT 3.3.4 -
SecureCRT 3.2.2 -

Technical Support

For further information on the security advisory, please contact VanDyke Software.

BugTraq Postings

The original posting of this vulnerability was made to BugTraq on July 23, 2002.
VanDyke's response was also posted on July 23, 2002.
VanDyke posted a message announcing the revised versions and this page on July 25, 2002.

Revision History

July 25, 2002 - Security Advisory published.
July 26, 2002 - Security Advisory updated.
November 21, 2002 - Security Advisory updated.
January 21, 2003 - Security Advisory updated.
February 20, 2003 - Security Advisory updated.
April 3, 2003 - Security Advisory updated.
April 17, 2003 - Security Advisory updated.
June 19, 2003 - Security Advisory updated.
August 19, 2003 - Security Advisory updated.
October 16, 2003 - Security Advisory updated.
December 4, 2003 - Security Advisory updated.

VanDyke Software uses cookies to give you the best online experience. Before continuing to use this site, please confirm that you agree to our use of cookies. Please see our Cookie Usage for details.