Topic "OpenSSH vulnerability, is WinSCP safe?"

Author Message
sglawson
[View user's profile]

Joined: 2016-01-20
Posts: 2
Location: Pennsylvania
A security vulnerability has recently been found in OpenSSH 2.3.1 through 3.3. More info here: https://www.snort.org/rule_docs/128-1. It looks like WinSCP uses Putty 0.63+ code for SSH which I believe is susceptible. Is there any way to use an updated SSH library instead of the outdated library with the OpenSSH vulnerability?

Detailed info if link does not work:

Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).

Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.

This event can be controlled using the ((ssh)) configuration options.

Last edited by sglawson on 2016-01-20 17:25; edited 1 time in total
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25034
Location: Prague, Czechia
Why do you believe that PuTTY is susceptible to OpenSSH bugs?

PuTTY and WinSCP do not use any OpenSSH code.
sglawson
[View user's profile]

Joined: 2016-01-20
Posts: 2
Location: Pennsylvania
prikryl wrote:
Why do you believe that PuTTY is susceptible to OpenSSH bugs?

PuTTY and WinSCP do not use any OpenSSH code.


I was not aware they don't use OpenSSH; so now I'm really confused. Due to the discovery of the vulnerability, our network guys "shut this down" (whatever that means), and all transfers failed after that point. They rolled the change back and the transfers are working again. I am going to reach out to them and see what exactly it is they are blocking at the firewall to make sure they aren't blocking something they should be letting through. If WinSCP isn't using OpenSSH and whatever they are changing is causing it to fail, they must be blocking something else in addition to OpenSSH. Thanks for the prompt reply.
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License