Risk assessment: Medium-High (see below)
Posted: April 26, 2022
VanDyke clients for Windows including SecureCRT, SecureFX, and VanDyke ClientPack use RSA BSAFE Crypto-C Micro Edition for cryptography.
(CVE-2019-3728) Versions of RSA BSAFE Crypto-C Micro Edition versions prior to 4.1.4 are vulnerable to a Buffer Over-read vulnerability when processing DSA signatures. A malicious remote SSH2 server could potentially exploit this vulnerability to cause the client to crash. [High severity]
(CVE-2019-3733) Versions of RSA BSAFE Crypto-C Micro Edition prior to 4.1.4 are vulnerable to three Improper Clearing of Heap Memory Before Release vulnerabilities, also known as “Heap Inspection vulnerabilities”. A malicious local process could potentially exploit this vulnerability to extract information leaving data at risk of exposure. [Medium severity]
Products Not Affected
Upgrade to SecureCRT 9.2, SecureFX 9.2, VanDyke ClientPack 9.2 or newer versions for Windows
On the Windows platform, SecureCRT version 9.2 is unable to connect to SSH2 servers with host keys that have bit sizes which are not a multiple of 256 (e.g., Dropbear), resulting in a server host key verification error during initial key exchange. If you wish to be notified when this issue has been addressed or find out if a workaround is available, please send an email to VanDyke Software Technical Support at .
Vulnerability Fix Downloads
April 26, 2022 – Security Advisory Published
Here you can control cookies using the checkboxes below. Some cookies are essential for the use of our website and cannot be disabled. Others provide a convenience to the user and, if disabled, may reduce the ease of use of our site. Finally, some cookies provide anonymous analytic tracking data that help us provide the user with a richer browsing experience. You can elect to disable these cookies as well.