Risk assessment: Low
Posted: February 27, 2024
Description
As of January 26, 2024, the OpenSSL organization announced vulnerabilities CVE-2023-5363, CVE-2023-5678, CVE-2023-6129, and CVE-2024-0727.
These vulnerabilities are fixed in OpenSSL 3.0.13 and OpenSSL 3.1.5.
Products Not Affected
- SecureCRT/SecureFX (Windows): Versions 9.5.1 and newer
- SecureCRT/SecureFX (macOS): Versions 9.5.1 and newer
- SecureCRT/SecureFX (Linux): Running on platforms using the latest OpenSSL version available to the system
- VShell (Windows): All versions
- VShell (macOS): Versions 4.9.2 and newer
- VShell (Linux): Running on platforms using the latest OpenSSL version available to the system
Products Affected
- SecureCRT/SecureFX (Windows): Versions 9.5.0 and older in some non-default configurations (see the Additional Details for SecureCRT/SecureFX on Windows section)
- SecureCRT/SecureFX (macOS): Versions 9.5.0 and older
- VShell (macOS): Versions 4.9.1 and older
Additional Details for SecureCRT/SecureFX on Windows
- OpenSSL libraries are included in the SecureCRT/SecureFX installation but are not used by default.
- SecureCRT:
- OpenSSL libraries are not used unless you are connecting with the Telnet/TLS protocol with the Use OpenSSL for TLS option enabled.
- You can omit the Telnet/TLS protocol from the installer when deploying/modifying a SecureCRT installation using the following command:
scrt-x64-bsafe.9.5.0.3241.exe /s /v"/qn ADDLOCAL=ALL REMOVE=TelnetSsl_x64"- SecureFX:
- OpenSSL libraries are not used unless you are connecting using the FTPS/HTTPS protocols with the Use OpenSSL for TLS option enabled.
Recommended Solutions
- SecureCRT/SecureFX (Windows and macOS):
- All versions: Upgrade SecureCRT/FX to version 9.5.1 or newer
- SecureCRT/SecureFX (Linux):
- Versions 9.3 and older:
- Upgrade to version 9.4.3 or newer and patch Linux system with latest available version of OpenSSL 3.0.x (see Note)
- Versions 9.4 and newer:
- Patch Linux system with latest available version of OpenSSL
- VShell (macOS):
- All versions: Upgrade VShell to 4.9.2 or newer
- VShell (Linux):
- Versions 4.8 and older:
- Upgrade to version 4.9.2 or newer and patch Linux system with latest available version of OpenSSL 3.0.x (see Note)
- Versions 4.9 and newer:
- Patch Linux system with latest available version of OpenSSL
Note: OpenSSL 1.1.1.x is used by SecureCRT/FX 9.3, VShell 4.8, and older versions. As of this writing, the OpenSSL team has not released fixes for CVE-2023-5363 or CVE-2023-6129 in 1.1.1.x. Therefore, in order to address all four vulnerabilities on Linux platforms, it is necessary to both upgrade the VanDyke software products and upgrade OpenSSL.
Vulnerability Fix Downloads
- Download SecureCRT 9.5.1 or newer
- Download SecureFX 9.5.1 or newer
- Download VShell 4.9.2 or newer
Official Postings
Revision History
February 27, 2024 – Security Advisory Published
VanDyke Software uses cookies to give you the best online experience. Before continuing to use this site, please confirm that you agree to our use of cookies. Please see our Cookie Usage for details.
Here you can control cookies using the checkboxes below. Some cookies are essential for the use of our website and cannot be disabled. Others provide a convenience to the user and, if disabled, may reduce the ease of use of our site. Finally, some cookies provide anonymous analytic tracking data that help us provide the user with a richer browsing experience. You can elect to disable these cookies as well.
