Addressing vulnerabilities in a timely fashion is part of our commitment to providing responsive support to our customers. VanDyke Software works closely with security investigators and researchers at CERT and other organizations to evaluate announced vulnerabilities and determine whether they impact our products. When a vulnerability is found to affect one or more of our products, we make every effort to provide a fix as quickly as possible and alert our customers using our website and our product announcement lists.
| February 2024 | |
| CVE-2023-5363 CVE-2023-5678 CVE-2023-6129 CVE-2024-0727 |
Open SSL vulnerabilities CVE-2023-5363, CVE-2023-5678, CVE-2023-6129, and CVE-2024-0727 |
| View Details |
| December 2023 | |
| CVE-2023-48795 | SSH2 Protocol Vulnerable to Novel Prefix Truncation Attacks, Downgrading Connection Security (CVE-2023-48795) |
| View Details |
| November 2022 | |
|
CVE-2022-3602 CVE-2022-3786 |
OpenSSL 3.0.0 through 3.0.6 vulnerabilities (CVE-2022-3602 and CVE-2022-3786) |
| View Details | |
| VanDyke Software SecureCRT and SecureFX saved data vulnerable to brute-force attack | |
| View Details | |
| VanDyke Software VShell saved data vulnerable to brute-force attack | |
| View Details |
| April 2022 | |
| CVE-2019-3728 CVE-2019-3733 |
RSA BSAFE Crypto-C Micro Edition vulnerabilities (CVE-2019-3728 and CVE-2019-3733) and VanDyke Client Products for Windows |
| View Details | |
| CVE-2019-3728 CVE-2019-3733 |
RSA BSAFE Crypto-C Micro Edition vulnerabilities (CVE-2019-3728 and CVE-2019-3733) and VanDyke VShell Server for Windows |
| View Details |
| February 2022 | |
| VanDyke Software VShell for Windows Remote Execution via Triggers | |
| View Details | |
| VanDyke Software VShell for Windows Virtual Roots SFTP Directory Traversal | |
| View Details |
| December 2021 | |
| CVE-2021-44228 | VanDyke Software products do not use Java and do not use the Apache Log4j library. The Log4j vulnerability is not applicable to VanDyke Software products. |
| May 2020 | |
| VanDyke Software SecureCRT memory corruption vulnerability (CVE-2020-12651) | |
| CVE-2020-12651 | View Details |
| January 2020 | |
| VanDyke Software VShell Enterprise Edition with HTTPS directory traversal vulnerability | |
| View Details | |
| March 2017 | |
| Impact of the Python 2.7.9 CVE-2016-5699 vulnerability in SecureCRT | |
| CVE-2016-5699 | View Details |
| March 2015 | |
| VanDyke Software SecureCRT/SecureFX saved session password recovery | |
| View Details | |
| February 2015 | |
| GHOST gethostbyname() Heap Overflow in glibc (CVE-2015-0235) | |
| CVE-2015-0235 | View Details |
| October 2014 | |
| US-CERT TA14-290A | VanDyke Software products and the POODLE attack (SSL 3.0 Vulnerability) |
| View Details | |
The GNU Bourne-Again Shell (Bash) 'Shellshock' vulnerability is not applicable to VShell. VShell does not set the environment variable necessary for the exploit to be possible. |
|
| May 2014 | Impact of the OpenSSL Heartbleed Vulnerability on SecureCRT, SecureFX, and the VanDyke ClientPack |
| View Details | |
| April 2014 | VShell FTPS and the OpenSSL Heartbleed Vulnerability |
| View Details | |
| April 2014 | Dual_EC_DRBG and Extended Random (ER) algorithms not used in VanDyke Software products. |
| View Details | |
| December 2008 | |
| CPNI CPNI-957037 | CPNI has released a security advisory describing a vulnerability in SSH that allows an attacker with control over the network to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. VShell® version 3.5.1 and earlier, SecureCRT® version 6.1.2 and earlier, SecureFX® version 6.1.2 and earlier, and VanDyke ClientPack 6.1.2 and earlier are potentially vulnerable to this attack. |
| View Details |
| July 2008 | |
| Debian DSA-1571-1 | Debian has released a security advisory describing a vulnerability in the random number generator used by the OpenSSL package included with the Debian GNU/Linux, Ubuntu, and other Debain-based operating systems. Not Applicable to VanDyke Software products. However, it is recommended that you upgrade your Debian- and Ubuntu-based systems and then regenerate cryptographic key material as described in the advisory. |
| View Details |
| January 2007 | |
| CERT VU#845620 | It is theoretically possible for an attacker to forge RSA signatures when the RSA key has a public exponent of three. SecureCRT® version 5.2.1 and earlier, SecureFX® version 4.0.1 and earlier, and VShell® version 2.6.2 and earlier for Windows, Red Hat Linux, HP-UX, AIX, and Solaris are potentially vulnerable to this attack. |
| View Details |
| March 2006 | |
| Secunia SA19040 | In SecureCRT versions 5.0 through 5.0.4 and SecureFX versions 3.0 through 3.0.4, a buffer overflow was theoretically possible when a Unicode string was converted to a narrow string. |
| View Details |
| August 2005 | |
| CERT VU#973635 | In VShell versions 2.3.5 and earlier for Windows, when a host key is automatically created by VShell, the host key file inherits the permissions of its parent directory, potentially allowing access to authenticated users. VShell version 2.3.6 will ensure that when a host key is automatically generated, the permissions on the host key file will be set such that only SYSTEM and members of the Administrators group will have access rights. |
| View Details |
| December 2004 | |
| BugTraq 12122 |
SecureCRT is reported prone to a remote denial of service vulnerability. It is reported that supplying an excessive string value to the application through the hostname field may trigger this vulnerability. Apparently, this causes the client application to crash. SecureCRT 4.0.9 and earlier may be vulnerable when SSH2 is used. SecureCRT 4.1 or newer provides a fix for SSH2 connections. |
| View Details | |
| November 2004 | |
| Secunia SA13275 |
Secunia Advisory - SecureCRT Arbitrary Configuration Folder Specification Vulnerability. CRT™ and SecureCRT 4.0 and 4.1 allow an arbitrary configuration folder to be specified to the "telnet:" URI handler via the "/F" command-line option. Successful exploitation allows execution of arbitrary commands via a malicious logon script with the privileges of the user running CRT or SecureCRT. This vulnerability is only applicable to users who have made CRT or SecureCRT their default Telnet client. |
| View Details | |
| September 2004 | |
| CERT VU#795632 | CERT Vulnerability Note - Double-free errors may allow unauthenticated remote attackers to execute arbitrary code on KDC or clients. |
| CERT VU#866472 | CERT Vulnerability Note - Double-free errors may allow authenticated attackers to execute arbitrary code on application servers. |
| CERT VU#550464 |
CERT Vulnerability Note - Remote denial-of-service vulnerability in the KDC and libraries. Not Applicable to VanDyke Software Products. CERT has released a security advisory affecting MIT Kerberos 5 versions 1.3.4 and earlier. Although VanDyke products are not affected, there may be installations of VShell within an MIT Kerberos 5 environment which support Kerberos authentications through GSSAPI. In such cases, administrators are strongly encouraged to update MIT Kerberos to a version later than 1.3.4. |
| For more information on this vulnerability, including information regarding fixes for these vulnerabilities, please visit: MIT Kerberos Security Advisories | |
| February 10, 2004 | |
|
Microsoft MS04-007 US-CERT |
Microsoft has released a security bulletin (MS04-007) describing a vulnerability in the parsing of ASN.1 data that could result in remote code execution. US-CERT published an advisory on this vulnerability on February 10, 2004. Not Applicable to VanDyke Software products. It is, however, a critical vulnerability in affected versions of Windows for which Microsoft updates should be applied immediately. |
| September 30, 2003 | |
|
CERT VU#104280 |
CERT Vulnerability Note - Multiple vulnerabilities in SSL/TLS implementations Not Applicable to VanDyke Software products. This vulnerability only affects products that use OpenSSL. |
|
|
| June 04, 2003 | |
|
CERT VU#978316 |
CERT Vulnerability Note - A vulnerability in the OpenSSH daemon (sshd) may give remote attackers a better chance of gaining access to restricted resources. |
|
|
| March 25, 2003 | |
|
CERT VU#997481 |
CERT Vulnerability Note - Timing
Attack Vulnerabilities |
| January 29, 2003 | |
| iDEFENSE | VanDyke Software released versions of it's client applications to eliminate a security issue that made login credentials transmitted by VanDyke secure clients vulnerable to discovery if an attacker were able to access memory or a memory dump on the local machine. |
| July 25, 2002 | |
|
BugTraq |
VanDyke Software released SecureCRT version 3.4.8 and version SecureCRT 4.0.9 or newer to eliminate a security issue in SecureCRT 2.x, 3.x, 4.0 beta 2 or earlier. The issue made SecureCRT vulnerable to a buffer overflow attack which could allow malicious parties to execute arbitrary code when connecting to an SSH1 server that has been modified to perform this exploit. SSH2 connections are not affected by the vulnerability. |
| December 16, 2002 | |
|
CERT VU#389665
|
CERT Advisory CA-2002-36 Regarding SSH Vulnerabilities Not Applicable to VanDyke Software products. |
VanDyke Software uses cookies to give you the best online experience. Before continuing to use this site, please confirm that you agree to our use of cookies. Please see our Cookie Usage for details.
Here you can control cookies using the checkboxes below. Some cookies are essential for the use of our website and cannot be disabled. Others provide a convenience to the user and, if disabled, may reduce the ease of use of our site. Finally, some cookies provide anonymous analytic tracking data that help us provide the user with a richer browsing experience. You can elect to disable these cookies as well.
