martin wrote:

Why do you believe that PuTTY is susceptible to OpenSSH bugs?

PuTTY and WinSCP do not use any OpenSSH code.

I was not aware they don't use OpenSSH; so now I'm really confused. Due to the discovery of the vulnerability, our network guys "shut this down" (whatever that means), and all transfers failed after that point. They rolled the change back and the transfers are working again. I am going to reach out to them and see what exactly it is they are blocking at the firewall to make sure they aren't blocking something they should be letting through. If WinSCP isn't using OpenSSH and whatever they are changing is causing it to fail, they must be blocking something else in addition to OpenSSH. Thanks for the prompt reply.

Why do you believe that PuTTY is susceptible to OpenSSH bugs?

PuTTY and WinSCP do not use any OpenSSH code.

A security vulnerability has recently been found in OpenSSH 2.3.1 through 3.3. More info here: <invalid hyperlink removed by admin>. It looks like WinSCP uses Putty 0.63+ code for SSH which I believe is susceptible. Is there any way to use an updated SSH library instead of the outdated library with the OpenSSH vulnerability?

Detailed info if link does not work:

Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).

Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.

This event can be controlled using the ((ssh)) configuration options.