Vulnerability Note VU#165099

cryptcat does not encrypt data communications when -e command argument is used

Original Release date: 02 Mar 2002 | Last revised: 23 Feb 2004

Overview

With certain options used, cryptcat does not encrypt network connections as expected.

Description

Cryptcat is an enhanced version of netcat that adds twofish encryption.

If cryptcat is started in listen (server) mode binding a shell to a network port, cryptcat fails to enable encryption. Without encryption enabled on the server, cryptcat clients will not be able to connect. Furthermore, netcat clients can connect to the server port and communicate without encryption.

Impact

Users may open unencrypted ports on the server with the assumption that any connections to that port will be encrypted by cryptcat.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

None.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Farm9Unknown-11 Dec 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Eric Sheesley for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: Unknown
  • Date Public: 02 Mar 2002
  • Date First Published: 02 Mar 2002
  • Date Last Updated: 23 Feb 2004
  • Severity Metric: 0.09
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.