Hi Andreas, Thank for your reply, I checked with DSAC team locally and received below input regarding Authentication Bypass was successfully issue with libssh-0.7.6.
Please suggest if you have any input or suggestion for below point. Regards, Nitesh From: V-Ravi-Chaitanya Chebolu Sent: Monday, March 11, 2019 10:03 AM To: Srikant Sana <srikant.s...@in.abb.com>; Nitesh Srivastava <nitesh.srivast...@in.abb.com> Cc: Manish Singh <manish.si...@in.abb.com>; Anjana Rajan <anjana.ra...@in.abb.com> Subject: RE: compilation issue found in libssh-0.7.6 on VS2017 Hello Srikanth, We are still awaiting response from Defensics. The issues seems to be different in a way that the one fixed by libSSH versin 0.7.6 is Authentication Bypass which is occurred by, a user could just skip the authentication process and have his client send the SSH2_MSG_USERAUTH_SUCCESS and bypass all checks instead of sending SSH2_MSG_USERAUTH_REQUEST. This issue is not reported now. But the one reported in defensics is different, in the Authorization Service Request Message message Defensics is appending invalid string in username field and it reported that Autentication Bypass was successful. Regards, Ravi Chaitanya. Device Security Assurance Centre For any DSAC enquiries, please send an E-mail to in-d...@abb.com<mailto:in-d...@abb.com> To get news and update on DSAC, please subscribe to DSAC mailing list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>. [Campaign Email Signature Banner] From: Srikant Sana Sent: Monday, March 11, 2019 8:59 AM To: V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.cheb...@in.abb.com<mailto:v-ravi-chaitanya.cheb...@in.abb.com>>; Nitesh Srivastava <nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>> Cc: Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>> Subject: RE: compilation issue found in libssh-0.7.6 on VS2017 Hi Ravi , Is the downgraded version of Libssh also showing same issues , If so when we can expect a response from the Defensics or is there way to take exception for this? Based on your input , the Gate meeting has to be planned . Regards Srikant From: V-Ravi-Chaitanya Chebolu Sent: Thursday, March 07, 2019 5:34 PM To: Nitesh Srivastava <nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>> Cc: Srikant Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>>; Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>> Subject: RE: compilation issue found in libssh-0.7.6 on VS2017 Hello Nitesh, This issue is reported by Defensics and we have raised a support case with them, once we get a response from them, we will let you know. Regards, Ravi Chaitanya. Device Security Assurance Centre For any DSAC enquiries, please send an E-mail to in-d...@abb.com<mailto:in-d...@abb.com> To get news and update on DSAC, please subscribe to DSAC mailing list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>. [Campaign Email Signature Banner] From: Nitesh Srivastava Sent: Thursday, March 07, 2019 5:20 PM To: V-Ravi-Chaitanya Chebolu <v-ravi-chaitanya.cheb...@in.abb.com<mailto:v-ravi-chaitanya.cheb...@in.abb.com>> Cc: Srikant Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>> Subject: FW: compilation issue found in libssh-0.7.6 on VS2017 Hi Ravi, We have checked with libssh.org and as per them "Authentication bypass vulnerability" is fixed in version 0.7.7. Below is the response, Please have a look. Regards, Nitesh -----Original Message----- From: Andreas Schneider <a...@cryptomilk.org<mailto:a...@cryptomilk.org>> Sent: Thursday, March 07, 2019 4:24 PM To: libssh@libssh.org<mailto:libssh@libssh.org> Cc: Nitesh Srivastava <nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>> Subject: Re: compilation issue found in libssh-0.7.6 on VS2017 CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Wednesday, March 6, 2019 7:05:22 PM CET Nitesh Srivastava wrote: > Hi Andreas, > > Thanks for reply. I used the libssh-0.7.7 version and its compiled for me. > > But during my Product device security testing through synopsis tool > its failed for "Authentication bypass vulnerability" in version 0.7.7. I would argue that this tool is broken. We have unit tests which proof that it is fixed ;-) -- Andreas Schneider a...@cryptomilk.org<mailto:a...@cryptomilk.org> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
