VanDyke Software Inc. Information for VU#997481
Cryptographic libraries and applications do not adequately defend against timing attacks
- Vendor Information Help Date Notified: 11 Mar 2003
- Statement Date:
- Date Updated: 04 Apr 2003
The following VanDyke Software products are not vulnerable to a timing attack discussed in VU#997481 because blinding is used with RSA private keys:
VShell - all versions
SecureCRT, using SSH2 - all versions
SecureFX - all versions
Entunnel - all versions
The only VanDyke Software product that is potentially vulnerable to a timing attack is SecureCRT, when SSH1 is used. A fix for SSH1 will be available soon.
The vendor has not provided us with any further information regarding this vulnerability.
SecureCRT 4.0.5 enables RSA blinding for SSH1:
If you have feedback, comments, or additional information about this vulnerability, please send us email.