OpenSSH vulnerability, is WinSCP safe?

Advertisement

sglawson
Joined:
Posts:
2
Location:
Pennsylvania

OpenSSH vulnerability, is WinSCP safe?

A security vulnerability has recently been found in OpenSSH 2.3.1 through 3.3. More info here: <invalid hyperlink removed by admin>. It looks like WinSCP uses Putty 0.63+ code for SSH which I believe is susceptible. Is there any way to use an updated SSH library instead of the outdated library with the OpenSSH vulnerability?

Detailed info if link does not work:

Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).

Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.

This event can be controlled using the ((ssh)) configuration options.
Last edited by sglawson on 2016-01-20 17:25; edited 1 time in total

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: OpenSSH vulnerability, is WinSCP safe?

Why do you believe that PuTTY is susceptible to OpenSSH bugs?

PuTTY and WinSCP do not use any OpenSSH code.

Reply with quote

sglawson
Joined:
Posts:
2
Location:
Pennsylvania

Re: OpenSSH vulnerability, is WinSCP safe?

martin wrote:

Why do you believe that PuTTY is susceptible to OpenSSH bugs?

PuTTY and WinSCP do not use any OpenSSH code.

I was not aware they don't use OpenSSH; so now I'm really confused. Due to the discovery of the vulnerability, our network guys "shut this down" (whatever that means), and all transfers failed after that point. They rolled the change back and the transfers are working again. I am going to reach out to them and see what exactly it is they are blocking at the firewall to make sure they aren't blocking something they should be letting through. If WinSCP isn't using OpenSSH and whatever they are changing is causing it to fail, they must be blocking something else in addition to OpenSSH. Thanks for the prompt reply.

Reply with quote

Advertisement

You can post new topics in this forum