Security Advisory

VanDyke Software has released new versions of its client applications to eliminate a security issue in previous versions. The issue made login credentials transmitted by VanDyke secure clients vulnerable to discovery if an attacker were able to access memory or a memory dump on the local machine.

Posted: January 29, 2003

Description

iDEFENSE, a security analysis firm, has reported that VanDyke Software Inc.'s SecureCRT® does not properly scrub memory, allowing an attacker with access to memory or a memory dump to retrieve authentication information.

An attacker can search memory or a memory dump on the local machine for login credentials. Passwords transmitted by SecureCRT can be found by searching for the string "ssh-connection". The login and password are stored in plain-text on the respective sides of this keyword.

An attacker that is able to ascertain a target user's memory dump will be able to recover passwords for remote systems. This is of special concern in shared environments. If a user suspects that his or her login credentials have been compromised then he or she should immediately change them.

This vulnerability exists in the following versions of VanDyke Software client applications:

SecureCRT: 4.0.2 and 3.4.7
SecureFX® : 2.1.2 and 2.0.4
Entunnel™ : 1.0.2 and earlier

Earlier versions of these client applications are vulnerable as well. VanDyke encourages all users whose licenses were purchased prior to June 1, 2000 to consider upgrading to the current version(s) of their licensed applications.

Revised versions of SecureCRT are available for registered users of versions 3.4.x and 4.0.x. VanDyke recommends that all users of these versions upgrade immediately to the available revisions.

Users who purchased licenses on or after June 1, 2001 may download either
SecureCRT 3.4.8 or SecureCRT 4.0.9.
Users who purchased licenses prior to June 1, 2001 should download SecureCRT 3.4.8.
Users who purchased licenses prior to June 1, 2000 should consider upgrading to version 4.1.x.

Revised versions of SecureFX are available for registered users of versions 2.0.x and 2.1.x. VanDyke recommends that all users of these versions upgrade immediately to the available revisions.

Users who purchased licenses on or after June 1, 2001 may download either
SecureFX 2.0.5 or SecureFX 2.1.8.
Users who purchased licenses on or after June 1, 2000 should download SecureFX 2.0.5.
Users who purchased licenses prior to June 1, 2000 should consider upgrading to version 2.2.x.

A revised version of Entunnel is available for all registered users. VanDyke recommends that all users upgrade immediately to this revision.

All Entunnel users should download Entunnel 1.1.2.

Affected Software Versions

SecureCRT 4.0.2 or earlier
SecureCRT 3.x official
SecureCRT 2.x official

SecureFX 2.1.x
SecureFX 2.0.x
SecureFX 1.9.x

Entunnel 1.x

Vulnerability Fix Downloads

SecureCRT 4.1.x - https://www.vandyke.com/download/securecrt/4.1/index.html
SecureCRT 4.0.9 - https://www.vandyke.com/download/securecrt/4.0/index.html
SecureCRT 3.4.8 - https://www.vandyke.com/download/securecrt/3.4/index.html

SecureFX 2.2.x - https://www.vandyke.com/download/securefx/2.2/index.html
SecureFX 2.1.8 - https://www.vandyke.com/download/securefx/2.1/index.html
SecureFX 2.0.5 - https://www.vandyke.com/download/securefx/2.0/index.html

Entunnel 1.1.2 - Contact Technical Support

Technical Support

For further information on the security advisory, please contact VanDyke Software.

Official Postings

The original notification of this vulnerability was made to VanDyke Software by iDefense on January 10, 2003 and was announced publicly on January 29, 2003.
VanDyke posted this page on January 29, 2003.

Revision History

January 29, 2003 - Security Advisory published.
February 20, 2003 - Security Advisory updated.
March 20, 2003 - Security Advisory updated.

VanDyke Software