Security Advisory
RSA BSAFE Crypto-C Micro Edition vulnerabilities (CVE-2019-3728 and CVE-2019-3733) and VanDyke Client Products for Windows
Risk assessment: Medium-High (see below)
Posted: April 26, 2022
Description
VanDyke clients for Windows including SecureCRT, SecureFX, and VanDyke ClientPack use RSA BSAFE Crypto-C Micro Edition for cryptography.
(CVE-2019-3728) Versions of RSA BSAFE Crypto-C Micro Edition versions prior to 4.1.4 are vulnerable to a Buffer Over-read vulnerability when processing DSA signatures. A malicious remote SSH2 server could potentially exploit this vulnerability to cause the client to crash. [High severity]
(CVE-2019-3733) Versions of RSA BSAFE Crypto-C Micro Edition prior to 4.1.4 are vulnerable to three Improper Clearing of Heap Memory Before Release vulnerabilities, also known as “Heap Inspection vulnerabilities”. A malicious local process could potentially exploit this vulnerability to extract information leaving data at risk of exposure. [Medium severity]
Products Not Affected
- SecureCRT 9.2, SecureFX 9.2, VanDyke ClientPack 9.2, and newer versions for Windows
- SecureCRT, SecureFX, and VanDyke ClientPack for macOS and Linux
- SecureCRT for iOS
Products Affected
- SecureCRT 9.1.1, SecureFX 9.1.1, VanDyke ClientPack 9.1.1, and earlier versions for Windows
Recommended Solution
Upgrade to SecureCRT 9.2, SecureFX 9.2, VanDyke ClientPack 9.2 or newer versions for Windows
Known Issue
On the Windows platform, SecureCRT version 9.2 is unable to connect to SSH2 servers with host keys that have bit sizes which are not a multiple of 256 (e.g., Dropbear), resulting in a server host key verification error during initial key exchange. If you wish to be notified when this issue has been addressed or find out if a workaround is available, please send an email to VanDyke Software Technical Support at .
Vulnerability Fix Downloads
Official Postings
https://nvd.nist.gov/vuln/detail/CVE-2019-3728
https://nvd.nist.gov/vuln/detail/CVE-2019-3733
Revision History
April 26, 2022 – Security Advisory Published
