VanDyke Software Inc. Information for VU#997481

Cryptographic libraries and applications do not adequately defend against timing attacks



Vendor Statement

The following VanDyke Software products are not vulnerable to a timing attack discussed in VU#997481 because blinding is used with RSA private keys:

VShell - all versions
SecureCRT, using SSH2 - all versions
SecureFX - all versions
Entunnel - all versions

The only VanDyke Software product that is potentially vulnerable to a timing attack is SecureCRT, when SSH1 is used. A fix for SSH1 will be available soon.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



SecureCRT 4.0.5 enables RSA blinding for SSH1:


If you have feedback, comments, or additional information about this vulnerability, please send us email.