VanDyke Software SecureCRT < 8.7.2 Memory Corruption

critical Nessus Plugin ID 138818

Synopsis

A terminal emulation application installed on the remote Linux host is affected by a memory corruption vulnerability.

Description

The version of VanDyke Software SecureCRT installed on the remote Linux host is prior to 8.7.2. It is, therefore, affected by a memory corruption vulnerability. An unauthenticated remote attacker may be able to exploit this vulnerability, via a malformed response, to corrupt memory in the terminal process and execute arbitrary code.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update to VanDyke Software SecureCRT 8.7.2 or later.

See Also

https://www.vandyke.com/products/securecrt/history.txt

https://bugs.chromium.org/p/project-zero/issues/detail?id=2033

Plugin Details

Severity: Critical

ID: 138818

File Name: securecrt_cve-2020-12651.nasl

Version: 1.5

Type: local

Agent: unix

Family: Misc.

Published: 7/22/2020

Updated: 10/25/2021

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-12651

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:vandyke:securecrt

Required KB Items: installed_sw/SecureCRT

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/14/2020

Vulnerability Publication Date: 5/14/2020

Reference Information

CVE: CVE-2020-12651

IAVA: 2020-A-0229