Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

sglawson

Re: OpenSSH vulnerability, is WinSCP safe?

martin wrote:

Why do you believe that PuTTY is susceptible to OpenSSH bugs?

PuTTY and WinSCP do not use any OpenSSH code.


I was not aware they don't use OpenSSH; so now I'm really confused. Due to the discovery of the vulnerability, our network guys "shut this down" (whatever that means), and all transfers failed after that point. They rolled the change back and the transfers are working again. I am going to reach out to them and see what exactly it is they are blocking at the firewall to make sure they aren't blocking something they should be letting through. If WinSCP isn't using OpenSSH and whatever they are changing is causing it to fail, they must be blocking something else in addition to OpenSSH. Thanks for the prompt reply.
martin

Re: OpenSSH vulnerability, is WinSCP safe?

Why do you believe that PuTTY is susceptible to OpenSSH bugs?

PuTTY and WinSCP do not use any OpenSSH code.
sglawson

OpenSSH vulnerability, is WinSCP safe?

A security vulnerability has recently been found in OpenSSH 2.3.1 through 3.3. More info here: https://www.snort.org/rule_docs/128-1. It looks like WinSCP uses Putty 0.63+ code for SSH which I believe is susceptible. Is there any way to use an updated SSH library instead of the outdated library with the OpenSSH vulnerability?

Detailed info if link does not work:

Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).

Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.

This event can be controlled using the ((ssh)) configuration options.