SecureCRT

What's new in this version:

SecureCRT 9.5.0
Fixed:
- Windows: Closing an RDP session tab could have caused SecureCRT to hang


SecureCRT 9.4.3
Fixed:
- SSH2: For some algorithms, an attacker can manipulate the packets sent during key exchange to cause some packets to be removed, which compromises channel integrity.  A "Strict KEX" extension was implemented to address this vulnerability (CVE-2023-48795).
In order to use the "Strict KEX" extension, the extension must be supported by both the client and the server.


SecureCRT 9.4.2
Fixed:
- When zooming the session font, the top rows of the view may have been hidden
- Windows: If a connection error occurred during the early stages of key exchange, SecureCRT could have crashed
- Windows: If the "Hide Session ANSI Color Page" global INI-file-only option was disabled, opening the Session Options dialog resulted in a crash
- Windows: When opening the Session Manager, performance may have been impacted due to the protocol specific session icons. A "Use Old Session Manager Icons" global INI-file-only option has been added to allow the use of the old generic icons.


SecureCRT 9.4.1
Vulnerability:
- Updated the included OpenSSL library to version 3.0.9, which addresses a relatively low-risk vulnerability related to processing X.509 certificates. The library update also addresses an issue where Windows 11 Defender reported libcrypto-3-x64.dll as vulnerable.

Fixed:
- When using the Button Bar Manager to duplicate or rename an existing button bar, the buttons on the copied/renamed button bar may have been lost
- When zooming the session font, the top rows of the view may have been hidden
- When a connected session was configured to use the "System Color Scheme" color scheme and the system color mode was changed, the session's color scheme did not update as expected
- Windows: When the local shell arguments and/or initial folder options were set in the default local shell session, those settings were not used by new local shell sessions


SecureCRT 9.4.0
- Change log not available for this version


SecureCRT 9.3.2
Fixed:
- When using "Receive ASCII" to capture data from the remote system, the captured data may have been corrupt
- When keyword highlighting was enabled, not all phrases were highlighted as expected
- Windows: When using the JAWS screen reader, characters displayed in the terminal were sometimes not read as expected


SecureCRT 9.3.1
- When authenticating using an OpenSSH trusted RSA certificate, authentication failed with OpenSSH version 7.7p1 and earlier


SecureCRT 9.3.0
Vulnerability addressed:
- An external report claims that when using a brute-force attack, sensitive data, such as passwords, stored in the SecureCRT or SecureFX configuration without a configuration passphrase or with a weak configuration passphrase can be cracked in a relatively short amount of time. Direct access to the configuration data is required in order to exploit this vulnerability.

Changed:
- Windows: When the command-line utilities are installed with the SecureCRT standalone installer, the install path is added to the PATH environment variable


SecureCRT 9.2.2
- If a saved credential was modified while editing multiple sessions simultaneously, SecureCRT could have crashed
- When a newly generated public key was saved in OpenSSH format, the key could not be used for authentication due to an incorrect file format error
- When editing multiple sessions at once, the port field could not be changed
- When using the "Personal data folder" option, if a session option was modified, the personal data store options could have been saved to the non-personal configuration
- If multiple sessions were connected in tab groups, zooming the font in one tab group could have caused the font zoom to be reset in another tab group
- Windows: If multiple RDP sessions were connected and the "Close on disconnect" session option was enabled, closing the main window could have resulted in a crash on exit
- Windows: When the "Make SecureCRT the Default Application" button was pressed, SecureCRT was not set as the default application for SSH or Telnet URLs
- Windows: When the confirm disconnect option was enabled and an RDP session was connected, closing the application resulted in multiple confirm disconnect prompts
- Windows: When using the Microsoft Pinyin Input Method Editor to enter Chinese characters in fields that contained hint text (e.g., Session Manager filter field), the hint text was not cleared when the Chinese characters were entered


SecureCRT 9.2.1
Fixed:
- If the Button Manager dialog was launched from the Button Bar Manager dialog, changes to the buttons were not saved
- When connecting to a server that uses an X.509 certificate for the host key, even though the certificate met all requirements for automatic acceptance of the host key by the client, the application still prompted the user to manually accept and save the key
- When RDP or Local Shell sessions were exported and later imported to a different configuration, the protocol-specific options may not have been preserved as expected
- In certain cases, when moving focus from the hostname field to the port field using the tab key, the text contained within the port field was not selected


SecureCRT 9.2.0
- Change log not available for this version


SecureCRT 9.1.1
New:
- Windows: SecureCRT 9.1.1 is compatible with Windows 11

Fixed:
- When a script enabled file logging for a connection, the "Timestamp each line" logging option may have inadvertently been enabled


SecureCRT 9.1.0
- Change log not available for this version


SecureCRT 9.0.2
Change:
- Windows: The Scratchpad and Script Editor now honor the "Use ClearType to smooth edges of screen fonts" global option

Fixed:
- When connected to a host using TN3270 emulation, if the current partition was unformatted, the SETBUFFERADDRESS command was unexpectedly included in SecureCRT's response
- Windows: If a session was configured to use a firewall that prompted for credentials, and that session was configured to automatically connect at application startup, SecureCRT crashed
- Windows: Under certain circumstances, when opening the Session Manager, some folders may not have been expandable
- Windows: When authenticating with a PKCS#11 certificate with certain signature algorithms, the key may not have been added to the SSH agent
- Windows: Under certain environments, when connecting to an RDP session, the remote display would not scale to match the local desktop
- Mac/Linux: If a log file was initially created with the "Append to file" logging option enabled, Unicode characters may not have been logged correctly


SecureCRT 9.0.1
Changed:
- Restored the ability to use the SHA1-96 and MD5-96 MACs

Fixed:
- If a script that made a connection was specified on the command line, a "script is currently running" error was incorrectly reported. The script did run after the dialog was dismissed
- When performing a "Find" operation in the terminal view, if the end of the buffer was reached, the search direction could not be reversed
- Windows: When a disconnected RDP session tab was reused by a new RDP connection, the title bar text was not updated


SecureCRT 9.0.0
Fixed:
- When a script was specified on the SecureCRT command line, the error "script is currently running" was incorrectly reported. The script did run after the dialog was dismissed
- Windows: If a user was denied remote desktop access on the target system, connecting with an RDP session silently failed without reporting the system error


SecureCRT 8.7.3
Fixes:
- When the sample ANSI color palette was shown for a color scheme, the colors displayed did not match the descriptive text for the color (e.g., "ANSI Red" text was displayed using the green color)
- The display of certain Unicode characters (e.g., emojis) in the terminal could have caused other characters to appear as clipped
- Windows: When using CAPI to access a certificate located on a smart card, if the CAPI store contained multiple certificates, there could have been a delay before being prompted for the smart card pin
- Windows: On high-DPI monitors with a large scaling factor set, text displayed on the Keyboard Interactive authentication prompt could have been cut off
- Windows: When the Command Window was displayed, the height of the window increased by one pixel each time SecureCRT was restarted
- Windows: If the Session Manager and Command Manager were docked in stacked layout, the size of the individual manager windows was not retained between instances of SecureCRT
- Mac/Linux: Text displayed on the Keyboard Interactive and View Host Key dialogs could not be selected or copied


SecureCRT 8.7.2
Bug fixes:
- If a script was launched from a button bar button or keymap shortcut and the script file could not be located, a misleading error was reported
- Windows: If the Session Manager and Command Manager were docked within the same pane and configured to be auto-hidden, the expanded size of the managers could change when SecureCRT restarted
- Windows: On the public-key authentication failed dialog, when the left and right arrows were used to change focus between the Skip and OK buttons, the focus moved the opposite direction of the arrow key pressed.


SecureCRT 8.7.1
New feature:
- Windows: Added an administrative policy that disallows the TFTP
server from being run

Changes:
- The performance of keyword highlighting has been improved to be as fast as and in many cases, much faster, than version 8.5.
- SecureCRT now handles the Xterm "paste bracketing" escape sequence so that indentation is correct when indented text is pasted into an editor
- Added an optional "hide output" parameter to the Session Object Lock() method
- SSH2: When doing public-key authentication, if there is no corresponding private-key file without an extension and there is a private-key file with a .ppk extension, it will be used.

Vulnerability addressed:
- TFTP: The TFTP server is off by default. However, when the TFTP server was running, SecureCRT was vulnerable to a directory traversal attack that allowed access to arbitrary files on the local system.

Bug fixes:
- When running a version of the Midnight Commander file manager that supports extended coordinate mouse clicks, mouse operations from within SecureCRT did not work
- When multiple screens were created using the "screen" utility, the scrollback from one screen could end up in the scrollback for a different screen
- When multiple screens were created using the "screen" utility, the man page output went to the scrollback buffer
- In the Manage Agent Keys dialog, the columns expanded every time the dialog opened, which eventually caused all column headers to disappear
- If two sessions were connected and then a session was sent to a new window, if the Hex view was opened, no data was displayed in the Hex view for the session
- The items "MENU_TOGGLE_KEYWORD_HIGHLIGHTING" and "MENU_CONNECT_LOCAL_SHELL" were not recognized when they were included in a custom .MNU file
- Windows: If folders were rearranged in the Command Manager, the folder order was not remembered when SecureCRT restarted
- Windows: If the Session Manager and Command Manager were unpinned (auto hide) and the Session Manager was pinned, the Command Manager became active
- Windows: Some of the arrow buttons in the Global and Session Options dialogs did not work correctly with screen readers, such as JAWS and NVDA


SecureCRT 8.7.0
Change:
- SSH2: Keyboard-interactive authentication works with a prompt that contains "password" with any combination of upper and lower case letters (e.g., "Password" or "PASSWORD")

Bug fixes:
- When an editor (e.g., vi or vim) was used to edit a file on the remote system, the wrong line could have been deleted when the delete line command was sent
- When a session with an authentication banner reconnected, extra newlines were inserted after the banner
- Windows: Sending a session to a new window and then attempting to lock it with the "Hide Output" option checked resulted in a crash
- Windows: If the global transparency setting for active sessions was set to a value less than 255, when a tabbed session was cloned, no output was displayed


SecureCRT 8.5.4
Changes:
- Updated the version of Python that ships with SecureCRT to 2.7.16

Bug Fixes:
- Windows: When using both the left and right mouse buttons to simulate a middle-button click, and the "Paste on middle button" option was enabled, the paste operation would not succeed


SecureCRT 8.5.3
Change:
- Treat the [email protected] key-exchange algorithm as
- Synonymous to the curve25519-sha256 algorithm.

Bug fixes:
- Under certain circumstances, tiled session did not resize correctly after resizing the Command window.
- If the default session protocol was set to something other than TAPI and the Quick Connect protocol was changed to TAPI, attempting to configure TAPI produced an error.
- If the Screen.get2() scripting function was called, line drawing characters in the terminal window could be corrupted.
- When a large scrollback buffer was configured, the scroll bar could get stuck at the top of the scrollback.
- SecureCRT now prevents multiple Connect bars from being added to the toolbar.
- SSH2: If the public key in use was generated with the ssh-keygen Z option, SecureCRT could crash when attempting to enter the passphrase.
- When SecureCRT was maximized or full screen, if the font was zoomed in using CTRL+ or the mouse wheel, attempting to zoom out using CTRL- or the mouse wheel did not work.
- If Python 3.x was installed on the system and the PYTHONPATH variable was set, SecureCRT could fail to launch.
- When "Background colors" tab status indicators were used and enough sessions to fill the tab bar were connected, there was a significant lag when connecting new sessions or closing sessions.


SecureCRT 8.5.2
New feature:
- Added support for the curve25519-sha256 key-exchange algorithm.

Bug fixes:
- If an OpenSSH format key was manually added to the host key database, SecureCRT crashed when attempting to connect to a host that used that key.
- If the Session Manager was pinned and the active session had keyword highlighting on and it was toggled off by selecting "Keyword
- Highlighting" from the Options menu and then the Session Manager was hidden, keyword highlighting was re-enabled.
- Windows: In the Command Window, if the option "Send Characters
- Immediately" was set, pressing CTRL+A selected all the text in the
- Command Window instead of sending the CTRL+A to the session(s).
- Windows: When using the mouse wheel to scroll session output, there was a dead spot in the terminal area where scrolling stopped if the mouse cursor was positioned there.
- Windows: Attempting to display the Activator's About box caused an error message to be displayed.
- Mac/Linux: If the Session Manager was undocked and redocked, the terminal area size changed.
- Mac: SecureCRT could crash if a session had a dependent session and the wrong password had been saved for both sessions and the wrong password was entered when attempting to connect to the session.
- Mac: If CTRL+ was used to select multiple folders in the
- Session Manager or Connect dialog and then arrow keys were pressed, the selection could not be cleared.
- Linux: On Ubuntu 18.x, when running Midnight Commander, if CTRL+O was used to show and hide panels until there was no command prompt and then Midnight Commander was restarted as root and CTRL+O was used to hide panels, the command prompt was at the top of the window and new output was displayed incorrectly.


SecureCRT 8.5.1
New feature:
- Added a new script function FileSaveDialog() that allows saving to
- a file that does not exist.

Bug fixes:
- If the command line specified a saved session (/S) and overrode the local listening IP address (/LOCAL), an error was reported and the session did not connect.
- The button bar list was empty if button bars were imported when the button bar list was not displayed and then the button bar was displayed.
- Windows: On Windows Server 2008 R2, the icons in the Session Manager and Connect dialog were not drawn correctly.
- Windows: On a high-DPI monitor scaled to 125%, the 10-point Lucida
- Console font looked larger and bold compared to how that font looked in other applications.


SecureCRT 8.5
Bug fix:
- SecureCRT could crash if a new folder was created in the Session Manager or Connect dialog and there was at least one other folder under "Sessions" and then sorting was changed to manual arrangement and a session was dragged to be between the "Session" folder and the top folder