Security Advisory
VanDyke Software SecureCRT and SecureFX saved data vulnerable to brute-force attack
Risk assessment: Medium
Posted: November 3, 2022
Description
An external report claims that when using a brute-force attack, sensitive data, such as passwords, stored in the SecureCRT or SecureFX configuration without a configuration passphrase or with a weak configuration passphrase can be cracked in a relatively short amount of time. Direct access to the configuration data is required in order to exploit this vulnerability.
Products Affected
- SecureCRT: versions 9.2.3 and earlier
- SecureFX: versions 9.2.3 and earlier
Recommended Solutions
- SecureCRT: Upgrade to version 9.3.0 and use a strong configuration passphrase.
- SecureFX: Upgrade to version 9.3.0 and use a strong configuration passphrase.
- In versions of SecureCRT and SecureFX prior to 9.3, use a strong configuration passphrase (minimum of 12 characters, mixed case, numbers, and symbols).
Notes regarding SecureCRT and SecureFX 9.3:
- A stronger cryptographic algorithm is used to encrypt sensitive data stored in the configuration.
- The UI for selecting the configuration passphrase indicates the strength of the passphrase as it’s being entered.
Vulnerability Fix Downloads
Revision History
November 3, 2022 – Security Advisory Published
