RE: compilation issue found in libssh-0.7.6 on VS2017

[Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx>]

Hi Andreas,



Thanks for your response. We sent mail to Defensics regarding "Authentication Bypass was successful by entering invalid string in username field", Please find below the reply from Defensics team:



According to RFC4252:



The 'user name' and 'service name' are repeated in every new authentication attempt, and MAY change. The server implementation MUST carefully check them in every message, and MUST flush any accumulated authentication states if they change.



This means that even if suite has sent a request with a valid username before, and now sends a new request with different username, the server should only consider the username in the last request. In my opinion, the authentication bypass issue is valid.



Also we are in discussion with Defensics team to provide manual verification steps and waiting for their response.



I know you are busy with your schedule but can we have a small call for this libSSH support? . Please let me know your availability.



Regards,

Nitesh







-

Nitesh Srivastava

Network Control Solutions



ABB Ability & Innovation Centre

3rd Floor, Bhoruka Tech Park

Mahadevpura Main Road,

560048, Bengaluru (India)

Mobile: +91 9379416369

abb.com



-----Original Message-----
From: Andreas Schneider <asn@xxxxxxxxxxxxxx>
Sent: Thursday, March 07, 2019 4:24 PM
To: libssh@xxxxxxxxxx
Cc: Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx>
Subject: Re: compilation issue found in libssh-0.7.6 on VS2017



CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.





On Wednesday, March 6, 2019 7:05:22 PM CET Nitesh Srivastava wrote:

> Hi Andreas,

>

> Thanks for reply. I used the libssh-0.7.7 version and its compiled for me.

>

> But during my Product device security testing through synopsis tool

> its failed for "Authentication bypass vulnerability" in version 0.7.7.



I would argue that this tool is broken. We have unit tests which proof that it is fixed ;-)



--

Andreas Schneider                 asn@xxxxxxxxxxxxxx<mailto:asn@xxxxxxxxxxxxxx>

GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

--- Begin Message ---

• Subject: RE: compilation issue found in libssh-0.7.6 on VS2017
• From: V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.chebolu@xxxxxxxxxx>
• Date: Mon, 25 Mar 2019 05:26:50 +0000
• To: Sascha Stoeter <sascha.stoeter@xxxxxxxxxx>, Srikant Sana <srikant.sana@xxxxxxxxxx>, Jocelyn Lau <jocelyn.lau@xxxxxxxxxx>, Anjana Rajan <anjana.rajan@xxxxxxxxxx>, Joe Doetzl <Joe.Doetzl@xxxxxxxxxx>, Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx>
• Cc: Manish Singh <manish.singh@xxxxxxxxxx>, Brahmaji Naidu <brahmaji.naidu@xxxxxxxxxx>, Aneta Jaworska <aneta.jaworska@xxxxxxxxxx>, Scott Pate <scott.pate@xxxxxxxxxx>, Mattias Gustin <Mattias.Gustin@xxxxxxxxxx>, Hadeli Hadeli <hadeli.hadeli@xxxxxxxxxx>

Hello Sascha,



From the defensics logs, it can be confirmed that Authentication Bypass has happened, but again we are checking with Defensics team whether it is false positive or not?



Also, about the manual verification of the issue, we are checking with Defensics team, how to reproduce manually.



Does this mean that any one of the passwords that are associated with a user on the device allows access regardless of the username?

Does authentication also work if an existing user name is used, but with a different user’s password?

What is the “malformed value”? The password was said to be correct…

If @Nitesh Srivastava<mailto:nitesh.srivastava@xxxxxxxxxx> can provide other username/passwords we can verify the same.

The malformed value in the username fields can be anything (like hexadecimal 20).



Regards,

Ravi Chaitanya.

Device Security Assurance Centre



For any DSAC enquiries, please send an E-mail to IN-dsac@xxxxxxx<mailto:IN-dsac@xxxxxxx>

To get news and update on DSAC, please subscribe to DSAC mailing list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>.







From: Sascha Stoeter
Sent: Friday, March 22, 2019 8:01 PM
To: Srikant Sana <srikant.sana@xxxxxxxxxx>; Jocelyn Lau <jocelyn.lau@xxxxxxxxxx>; V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.chebolu@xxxxxxxxxx>; Anjana Rajan <anjana.rajan@xxxxxxxxxx>; Joe Doetzl <Joe.Doetzl@xxxxxxxxxx>
Cc: Manish Singh <manish.singh@xxxxxxxxxx>; Brahmaji Naidu <brahmaji.naidu@xxxxxxxxxx>; Aneta Jaworska <aneta.jaworska@xxxxxxxxxx>; Scott Pate <scott.pate@xxxxxxxxxx>; Mattias Gustin <Mattias.Gustin@xxxxxxxxxx>; Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx>; Hadeli Hadeli <hadeli.hadeli@xxxxxxxxxx>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



In addition, has anyone manually confirmed the Defensics finding or is it a false positive?

Sascha





From: Sascha Stoeter
Sent: Friday, 22 March 2019 14:33
To: Srikant Sana <srikant.sana@xxxxxxxxxx<mailto:srikant.sana@xxxxxxxxxx>>; Jocelyn Lau <jocelyn.lau@xxxxxxxxxx<mailto:jocelyn.lau@xxxxxxxxxx>>; V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.chebolu@xxxxxxxxxx<mailto:v-ravi-chaitanya.chebolu@xxxxxxxxxx>>; Anjana Rajan <anjana.rajan@xxxxxxxxxx<mailto:anjana.rajan@xxxxxxxxxx>>; Joe Doetzl <Joe.Doetzl@xxxxxxxxxx<mailto:Joe.Doetzl@xxxxxxxxxx>>
Cc: Manish Singh <manish.singh@xxxxxxxxxx<mailto:manish.singh@xxxxxxxxxx>>; Brahmaji Naidu <brahmaji.naidu@xxxxxxxxxx<mailto:brahmaji.naidu@xxxxxxxxxx>>; Aneta Jaworska <aneta.jaworska@xxxxxxxxxx<mailto:aneta.jaworska@xxxxxxxxxx>>; Scott Pate <scott.pate@xxxxxxxxxx<mailto:scott.pate@xxxxxxxxxx>>; Mattias Gustin <Mattias.Gustin@xxxxxxxxxx<mailto:Mattias.Gustin@xxxxxxxxxx>>; Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx<mailto:nitesh.srivastava@xxxxxxxxxx>>; Hadeli Hadeli (hadeli.hadeli@xxxxxxxxxx<mailto:hadeli.hadeli@xxxxxxxxxx>) <hadeli.hadeli@xxxxxxxxxx<mailto:hadeli.hadeli@xxxxxxxxxx>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hi all



Is the Defensics finding the only issue holding back the release?





Ravi:



> But on Defensics the issue reported as Authentication Bypass is different. Here, the Defensics sends valid Username with no password, for which PCU400 responds with Authorization failure,

That’s as expected.



> then Defensics sends with invalid username with valid password (malformed value) and determines that Authentication Bypass was possible.

Does this mean that any one of the passwords that are associated with a user on the device allows access regardless of the username?

Does authentication also work if an existing user name is used, but with a different user’s password?

What is the “malformed value”? The password was said to be correct…





Srikant:



Is the issue described above only allowing access to the PCUCAG module or to a wider set of functionality?



> In the current test scenario if authentication fails there is no possibility to send a command to PCUCAG ,hence restricting the access for external application to make any attempts to fail.

I’m not sure what this is supposed to say. The issue here is that authentication succeeds when it’s supposed to fail.



> The alternate solution suggested below is  to restrict the access to system to only local system where in operator has to log locally to access PCUCAG functionality , no external access to the system till the issue is resolved.

That’s the option that would prevent further release delays caused by the finding.





Cheers,

Sascha





From: Srikant Sana
Sent: Friday, 22 March 2019 10:33
To: Jocelyn Lau <jocelyn.lau@xxxxxxxxxx<mailto:jocelyn.lau@xxxxxxxxxx>>; V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.chebolu@xxxxxxxxxx<mailto:v-ravi-chaitanya.chebolu@xxxxxxxxxx>>; Anjana Rajan <anjana.rajan@xxxxxxxxxx<mailto:anjana.rajan@xxxxxxxxxx>>
Cc: Manish Singh <manish.singh@xxxxxxxxxx<mailto:manish.singh@xxxxxxxxxx>>; Brahmaji Naidu <brahmaji.naidu@xxxxxxxxxx<mailto:brahmaji.naidu@xxxxxxxxxx>>; Aneta Jaworska <aneta.jaworska@xxxxxxxxxx<mailto:aneta.jaworska@xxxxxxxxxx>>; Scott Pate <scott.pate@xxxxxxxxxx<mailto:scott.pate@xxxxxxxxxx>>; Mattias Gustin <Mattias.Gustin@xxxxxxxxxx<mailto:Mattias.Gustin@xxxxxxxxxx>>; Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx<mailto:nitesh.srivastava@xxxxxxxxxx>>; Sascha Stoeter <sascha.stoeter@xxxxxxxxxx<mailto:sascha.stoeter@xxxxxxxxxx>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hi Jocelyn ,



PCU400 and PCUCAG details

PCU400 is front end which basically acts communication server between NM SCADA server and field RTUs/devices.

The module in testing here  is PCUCAG , which provide an interface to operator to enable/disable the communication details.

The data coming into and going out of PCU are written into log (trace) files and at the same time display the details on Putty (SSH) session through which the user is connected to the PCU application.

There is list of predefined commands  to enable/disable  logging , any other message coming to PCUCAG will be discarded if that does not meet standard syntax.

So PCUCAG core functionality is to inform the Protocol drivers in the system  to enable/disable logs in PCU  and write the details to log/flat files , primarily to support in trouble shooting of the system in commission stage or later based on the need.



In the current test scenario if authentication fails there is no possibility to send a command to PCUCAG ,hence restricting the access for external application to make any attempts to fail.

Even if  this or any other application in PCU fails there is inbuilt mechanism to restart that.



The alternate solution suggested below is  to restrict the access to system to only local system where in operator has to log locally to access PCUCAG functionality , no external access to the system till the issue is resolved.



Please let me know if any further details are required on this.



Regards

Srikant





From: Jocelyn Lau
Sent: Friday, March 22, 2019 12:14 PM
To: Srikant Sana <srikant.sana@xxxxxxxxxx<mailto:srikant.sana@xxxxxxxxxx>>; V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.chebolu@xxxxxxxxxx<mailto:v-ravi-chaitanya.chebolu@xxxxxxxxxx>>; Anjana Rajan <anjana.rajan@xxxxxxxxxx<mailto:anjana.rajan@xxxxxxxxxx>>
Cc: Manish Singh <manish.singh@xxxxxxxxxx<mailto:manish.singh@xxxxxxxxxx>>; Brahmaji Naidu <brahmaji.naidu@xxxxxxxxxx<mailto:brahmaji.naidu@xxxxxxxxxx>>; Aneta Jaworska <aneta.jaworska@xxxxxxxxxx<mailto:aneta.jaworska@xxxxxxxxxx>>; Scott Pate <scott.pate@xxxxxxxxxx<mailto:scott.pate@xxxxxxxxxx>>; Mattias Gustin <Mattias.Gustin@xxxxxxxxxx<mailto:Mattias.Gustin@xxxxxxxxxx>>; Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx<mailto:nitesh.srivastava@xxxxxxxxxx>>; Sascha Stoeter <sascha.stoeter@xxxxxxxxxx<mailto:sascha.stoeter@xxxxxxxxxx>>
Subject: Re: compilation issue found in libssh-0.7.6 on VS2017



[+Sascha]



Hello Srikant…



We cannot change the severity without more information from the vendor.  It sounds like this ticket has been opened now and we can try to escalate this.  (@Rchaitanya Chebolu<mailto:v-ravi-chaitanya.chebolu@xxxxxxxxxx> / @Anjana Rajan<mailto:anjana.rajan@xxxxxxxxxx>: can you help with this?)



In parallel while we work with the test vendor, let’s start the conversation with Sascha regarding a possible exception.  If you can provide more information to him, I have a meeting with him tomorrow afternoon to sync up and we can discuss this topic in our agenda.



Regards,

Jocelyn





From: Srikant Sana <srikant.sana@xxxxxxxxxx<mailto:srikant.sana@xxxxxxxxxx>>
Date: Thursday, March 21, 2019 at 11:17 PM
To: V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.chebolu@xxxxxxxxxx<mailto:v-ravi-chaitanya.chebolu@xxxxxxxxxx>>, Jocelyn Lau <jocelyn.lau@xxxxxxxxxx<mailto:jocelyn.lau@xxxxxxxxxx>>
Cc: Manish Singh <manish.singh@xxxxxxxxxx<mailto:manish.singh@xxxxxxxxxx>>, Anjana Rajan <anjana.rajan@xxxxxxxxxx<mailto:anjana.rajan@xxxxxxxxxx>>, Brahmaji Naidu <brahmaji.naidu@xxxxxxxxxx<mailto:brahmaji.naidu@xxxxxxxxxx>>, Aneta Jaworska <aneta.jaworska@xxxxxxxxxx<mailto:aneta.jaworska@xxxxxxxxxx>>, Scott Pate <scott.pate@xxxxxxxxxx<mailto:scott.pate@xxxxxxxxxx>>, Mattias Gustin <Mattias.Gustin@xxxxxxxxxx<mailto:Mattias.Gustin@xxxxxxxxxx>>, Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx<mailto:nitesh.srivastava@xxxxxxxxxx>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hi Jocelyn & Ravi ,



Thank you for the support  and inputs on analysis  of the reported issue.

As it seems to be an issue specific to tool can we have an exception or recategorization of issue currently it reported  as critical issue, as it may take time to resolve from Vendor side as well.



Alternatively we can restrict the access of  application to Local Host only where in if required the Operator will connect to PCU system using remote desktop.  Currently an operator can connect to the system using Putty (SSH) from a remote system.



We have a G5 planned by end of this month so please let us know how we can proceed further on this .



Regards

Srikant





From: V-Ravi-Chaitanya Chebolu
Sent: Friday, March 22, 2019 9:09 AM
To: Jocelyn Lau <jocelyn.lau@xxxxxxxxxx<mailto:jocelyn.lau@xxxxxxxxxx>>; Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx<mailto:nitesh.srivastava@xxxxxxxxxx>>
Cc: Manish Singh <manish.singh@xxxxxxxxxx<mailto:manish.singh@xxxxxxxxxx>>; Anjana Rajan <anjana.rajan@xxxxxxxxxx<mailto:anjana.rajan@xxxxxxxxxx>>; Srikant Sana <srikant.sana@xxxxxxxxxx<mailto:srikant.sana@xxxxxxxxxx>>; Brahmaji Naidu <brahmaji.naidu@xxxxxxxxxx<mailto:brahmaji.naidu@xxxxxxxxxx>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hello Jocelyn,



Thanks for your mail. I have already raised a support query with Synopsis and awaiting their response. I will update you once I get any update from them.



Regards,

Ravi Chaitanya.

Device Security Assurance Centre



For any DSAC enquiries, please send an E-mail to IN-dsac@xxxxxxx<mailto:IN-dsac@xxxxxxx>

To get news and update on DSAC, please subscribe to DSAC mailing list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>.







From: Jocelyn Lau
Sent: Thursday, March 21, 2019 8:02 PM
To: V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.chebolu@xxxxxxxxxx<mailto:v-ravi-chaitanya.chebolu@xxxxxxxxxx>>; Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx<mailto:nitesh.srivastava@xxxxxxxxxx>>
Cc: Manish Singh <manish.singh@xxxxxxxxxx<mailto:manish.singh@xxxxxxxxxx>>; Anjana Rajan <anjana.rajan@xxxxxxxxxx<mailto:anjana.rajan@xxxxxxxxxx>>; Srikant Sana <srikant.sana@xxxxxxxxxx<mailto:srikant.sana@xxxxxxxxxx>>; Brahmaji Naidu <brahmaji.naidu@xxxxxxxxxx<mailto:brahmaji.naidu@xxxxxxxxxx>>
Subject: Re: compilation issue found in libssh-0.7.6 on VS2017



Hello Ravi..



Thank you for the detailed description/background for this issue.  I would recommend that we first open a support ticket with Synopsys to ask them about this discrepancy.  Based on their analysis, we can then discuss the question of the severity of this issue.



Thanks,

Jocelyn





From: V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.chebolu@xxxxxxxxxx<mailto:v-ravi-chaitanya.chebolu@xxxxxxxxxx>>
Date: Thursday, March 21, 2019 at 5:01 AM
To: Jocelyn Lau <jocelyn.lau@xxxxxxxxxx<mailto:jocelyn.lau@xxxxxxxxxx>>, Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx<mailto:nitesh.srivastava@xxxxxxxxxx>>
Cc: Manish Singh <manish.singh@xxxxxxxxxx<mailto:manish.singh@xxxxxxxxxx>>, Anjana Rajan <anjana.rajan@xxxxxxxxxx<mailto:anjana.rajan@xxxxxxxxxx>>, Srikant Sana <srikant.sana@xxxxxxxxxx<mailto:srikant.sana@xxxxxxxxxx>>, Brahmaji Naidu <brahmaji.naidu@xxxxxxxxxx<mailto:brahmaji.naidu@xxxxxxxxxx>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hello Jocelyn,



In PCU400, there is a high severity issue called “Authentication Bypass” vulnerability.

Earlier, PCU400 was using libSSH version less than 0.7.6 which had Authentication Bypass vulnerability which was reported by both Nessus and Defensics.

So, PCU400 team has updated the libSSH package to 0.7.7, which has mitigation for Authentication Bypass.



Now when Nessus was run (with libssh 0.7.6 or 0.7.7) this Authentication Bypass was not reported. As Authentiction Bypass was observed for lower versions than 0.7.6, which is occurred by, a user could just skip the authentication process and have his client send the SSH2_MSG_USERAUTH_SUCCESS and bypass all checks instead of sending SSH2_MSG_USERAUTH_REQUEST.



But on Defensics the issue reported as Authentication Bypass is different. Here, the Defensics sends valid Username with no password, for which PCU400 responds with Authorization failure, then Defensics sends with invalid username with valid password (malformed value) and determines that Authentication Bypass was possible.



So, the issue is not fixed as per Defensics.



But the BU says that this service is not critical. Can you please let them know, if it is possible to change the severity level from high to medium.



Regards,

Ravi Chaitanya.

Device Security Assurance Centre



For any DSAC enquiries, please send an E-mail to IN-dsac@xxxxxxx<mailto:IN-dsac@xxxxxxx>

To get news and update on DSAC, please subscribe to DSAC mailing list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>.







From: Nitesh Srivastava
Sent: Thursday, March 21, 2019 2:19 AM
To: V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.chebolu@xxxxxxxxxx<mailto:v-ravi-chaitanya.chebolu@xxxxxxxxxx>>
Cc: Manish Singh <manish.singh@xxxxxxxxxx<mailto:manish.singh@xxxxxxxxxx>>; Anjana Rajan <anjana.rajan@xxxxxxxxxx<mailto:anjana.rajan@xxxxxxxxxx>>; Srikant Sana <srikant.sana@xxxxxxxxxx<mailto:srikant.sana@xxxxxxxxxx>>; Brahmaji Naidu <brahmaji.naidu@xxxxxxxxxx<mailto:brahmaji.naidu@xxxxxxxxxx>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hi Ravi,



We have tested our PCU400 with all the latest versions of libssh(0.7.6 & 0.8.7) and resolved Authentication Bypass issue successfully.



For the issue reported in defensics, Authentication Bypass was successful by entering invalid string in username field:  I must say this situation will never occur in PCU400 system. The reason is, in PCU400 system pcucag run as background process and used to collect the logs for PCU400 bug investigation. To connect with pcucag, process in PCU400 is done through localhost via any libssh based application (Putty) and this processing is done after connecting via Remote desktop connection (Encrypted method) at customer place by using authorized PSO/Customer person.



Also in PCU400 system, pcucag is not the critical process and the connections are discarding for invalid username and password. I’ll suggest please consider this as an exceptional issue.



Please suggest and let me know about your concern.



Regards,

Nitesh







—

Nitesh Srivastava

Network Control Solutions



ABB Ability & Innovation Centre

3rd Floor, Bhoruka Tech Park

Mahadevpura Main Road,

560048, Bengaluru (India)

Mobile: +91 9379416369

abb.com



From: V-Ravi-Chaitanya Chebolu
Sent: Monday, March 11, 2019 10:03 AM
To: Srikant Sana <srikant.sana@xxxxxxxxxx<mailto:srikant.sana@xxxxxxxxxx>>; Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx<mailto:nitesh.srivastava@xxxxxxxxxx>>
Cc: Manish Singh <manish.singh@xxxxxxxxxx<mailto:manish.singh@xxxxxxxxxx>>; Anjana Rajan <anjana.rajan@xxxxxxxxxx<mailto:anjana.rajan@xxxxxxxxxx>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hello Srikanth,



We are still awaiting response from Defensics.



The issues seems to be different in a way that the one fixed by libSSH versin 0.7.6 is Authentication Bypass which is occurred by, a user could just skip the authentication process and have his client send the SSH2_MSG_USERAUTH_SUCCESS and bypass all checks instead of sending SSH2_MSG_USERAUTH_REQUEST. This issue is not reported now.



But the one reported in defensics is different, in the Authorization Service Request Message message Defensics is appending invalid string in username field and it reported that Autentication Bypass was successful.



Regards,

Ravi Chaitanya.

Device Security Assurance Centre



For any DSAC enquiries, please send an E-mail to IN-dsac@xxxxxxx<mailto:IN-dsac@xxxxxxx>

To get news and update on DSAC, please subscribe to DSAC mailing list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>.







From: Srikant Sana
Sent: Monday, March 11, 2019 8:59 AM
To: V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.chebolu@xxxxxxxxxx<mailto:v-ravi-chaitanya.chebolu@xxxxxxxxxx>>; Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx<mailto:nitesh.srivastava@xxxxxxxxxx>>
Cc: Manish Singh <manish.singh@xxxxxxxxxx<mailto:manish.singh@xxxxxxxxxx>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hi Ravi ,



Is the downgraded version of Libssh also showing same issues , If so when we can expect a response from the Defensics or is there way to take exception for this?

Based on your input , the  Gate meeting has to be planned .



Regards

Srikant



From: V-Ravi-Chaitanya Chebolu
Sent: Thursday, March 07, 2019 5:34 PM
To: Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx<mailto:nitesh.srivastava@xxxxxxxxxx>>
Cc: Srikant Sana <srikant.sana@xxxxxxxxxx<mailto:srikant.sana@xxxxxxxxxx>>; Manish Singh <manish.singh@xxxxxxxxxx<mailto:manish.singh@xxxxxxxxxx>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hello Nitesh,



This issue is reported by Defensics and we have raised a support case with them, once we get a response from them, we will let you know.



Regards,

Ravi Chaitanya.

Device Security Assurance Centre



For any DSAC enquiries, please send an E-mail to IN-dsac@xxxxxxx<mailto:IN-dsac@xxxxxxx>

To get news and update on DSAC, please subscribe to DSAC mailing list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>.







From: Nitesh Srivastava
Sent: Thursday, March 07, 2019 5:20 PM
To: V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.chebolu@xxxxxxxxxx<mailto:v-ravi-chaitanya.chebolu@xxxxxxxxxx>>
Cc: Srikant Sana <srikant.sana@xxxxxxxxxx<mailto:srikant.sana@xxxxxxxxxx>>
Subject: FW: compilation issue found in libssh-0.7.6 on VS2017



Hi Ravi,



We have checked with libssh.org and as per them “Authentication bypass vulnerability" is fixed in version 0.7.7.



Below is the response, Please have a look.



Regards,

Nitesh



-----Original Message-----
From: Andreas Schneider <asn@xxxxxxxxxxxxxx<mailto:asn@xxxxxxxxxxxxxx>>
Sent: Thursday, March 07, 2019 4:24 PM
To: libssh@xxxxxxxxxx<mailto:libssh@xxxxxxxxxx>
Cc: Nitesh Srivastava <nitesh.srivastava@xxxxxxxxxx<mailto:nitesh.srivastava@xxxxxxxxxx>>
Subject: Re: compilation issue found in libssh-0.7.6 on VS2017



CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.





On Wednesday, March 6, 2019 7:05:22 PM CET Nitesh Srivastava wrote:

> Hi Andreas,

>

> Thanks for reply. I used the libssh-0.7.7 version and its compiled for me.

>

> But during my Product device security testing through synopsis tool

> its failed for "Authentication bypass vulnerability" in version 0.7.7.



I would argue that this tool is broken. We have unit tests which proof that it is fixed ;-)



--

Andreas Schneider                 asn@xxxxxxxxxxxxxx<mailto:asn@xxxxxxxxxxxxxx>

GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

--- End Message ---