VanDyke Software Inc. Information for VU#997481

Cryptographic libraries and applications do not adequately defend against timing attacks

Status

Affected

Vendor Statement

The following VanDyke Software products are not vulnerable to a timing attack discussed in VU#997481 because blinding is used with RSA private keys:

VShell - all versions
SecureCRT, using SSH2 - all versions
SecureFX - all versions
Entunnel - all versions

The only VanDyke Software product that is potentially vulnerable to a timing attack is SecureCRT, when SSH1 is used. A fix for SSH1 will be available soon.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

SecureCRT 4.0.5 enables RSA blinding for SSH1: