RE: compilation issue found in libssh-0.7.6 on VS2017

[Nitesh Srivastava]

Hi Andreas,



Thanks for your response. We sent mail to Defensics regarding "Authentication 
Bypass was successful by entering invalid string in username field", Please 
find below the reply from Defensics team:



According to RFC4252:



The 'user name' and 'service name' are repeated in every new authentication 
attempt, and MAY change. The server implementation MUST carefully check them in 
every message, and MUST flush any accumulated authentication states if they 
change.



This means that even if suite has sent a request with a valid username before, 
and now sends a new request with different username, the server should only 
consider the username in the last request. In my opinion, the authentication 
bypass issue is valid.



Also we are in discussion with Defensics team to provide manual verification 
steps and waiting for their response.



I know you are busy with your schedule but can we have a small call for this 
libSSH support? . Please let me know your availability.



Regards,

Nitesh







-

Nitesh Srivastava

Network Control Solutions



ABB Ability & Innovation Centre

3rd Floor, Bhoruka Tech Park

Mahadevpura Main Road,

560048, Bengaluru (India)

Mobile: +91 9379416369

abb.com



-----Original Message-----
From: Andreas Schneider <a...@cryptomilk.org>
Sent: Thursday, March 07, 2019 4:24 PM
To: libssh@libssh.org
Cc: Nitesh Srivastava <nitesh.srivast...@in.abb.com>
Subject: Re: compilation issue found in libssh-0.7.6 on VS2017



CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.





On Wednesday, March 6, 2019 7:05:22 PM CET Nitesh Srivastava wrote:

> Hi Andreas,

>

> Thanks for reply. I used the libssh-0.7.7 version and its compiled for me.

>

> But during my Product device security testing through synopsis tool

> its failed for "Authentication bypass vulnerability" in version 0.7.7.



I would argue that this tool is broken. We have unit tests which proof that it 
is fixed ;-)



--

Andreas Schneider                 
a...@cryptomilk.org<mailto:a...@cryptomilk.org>

GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

--- Begin Message ---

Hello Sascha,



From the defensics logs, it can be confirmed that Authentication Bypass has 
happened, but again we are checking with Defensics team whether it is false 
positive or not?



Also, about the manual verification of the issue, we are checking with 
Defensics team, how to reproduce manually.



Does this mean that any one of the passwords that are associated with a user on 
the device allows access regardless of the username?

Does authentication also work if an existing user name is used, but with a 
different user’s password?

What is the “malformed value”? The password was said to be correct…

If @Nitesh Srivastava<mailto:nitesh.srivast...@in.abb.com> can provide other 
username/passwords we can verify the same.

The malformed value in the username fields can be anything (like hexadecimal 
20).



Regards,

Ravi Chaitanya.

Device Security Assurance Centre



For any DSAC enquiries, please send an E-mail to 
in-d...@abb.com<mailto:in-d...@abb.com>

To get news and update on DSAC, please subscribe to DSAC mailing 
list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>.







From: Sascha Stoeter
Sent: Friday, March 22, 2019 8:01 PM
To: Srikant Sana <srikant.s...@in.abb.com>; Jocelyn Lau 
<jocelyn....@us.abb.com>; V-Ravi-Chaitanya Chebolu 
<v-ravi-chaitanya.cheb...@in.abb.com>; Anjana Rajan <anjana.ra...@in.abb.com>; 
Joe Doetzl <joe.doe...@us.abb.com>
Cc: Manish Singh <manish.si...@in.abb.com>; Brahmaji Naidu 
<brahmaji.na...@in.abb.com>; Aneta Jaworska <aneta.jawor...@pl.abb.com>; Scott 
Pate <scott.p...@us.abb.com>; Mattias Gustin <mattias.gus...@se.abb.com>; 
Nitesh Srivastava <nitesh.srivast...@in.abb.com>; Hadeli Hadeli 
<hadeli.had...@ch.abb.com>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



In addition, has anyone manually confirmed the Defensics finding or is it a 
false positive?

Sascha





From: Sascha Stoeter
Sent: Friday, 22 March 2019 14:33
To: Srikant Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>>; 
Jocelyn Lau <jocelyn....@us.abb.com<mailto:jocelyn....@us.abb.com>>; 
V-Ravi-Chaitanya Chebolu 
<v-ravi-chaitanya.cheb...@in.abb.com<mailto:v-ravi-chaitanya.cheb...@in.abb.com>>;
 Anjana Rajan <anjana.ra...@in.abb.com<mailto:anjana.ra...@in.abb.com>>; Joe 
Doetzl <joe.doe...@us.abb.com<mailto:joe.doe...@us.abb.com>>
Cc: Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>>; 
Brahmaji Naidu <brahmaji.na...@in.abb.com<mailto:brahmaji.na...@in.abb.com>>; 
Aneta Jaworska <aneta.jawor...@pl.abb.com<mailto:aneta.jawor...@pl.abb.com>>; 
Scott Pate <scott.p...@us.abb.com<mailto:scott.p...@us.abb.com>>; Mattias 
Gustin <mattias.gus...@se.abb.com<mailto:mattias.gus...@se.abb.com>>; Nitesh 
Srivastava <nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>>; 
Hadeli Hadeli (hadeli.had...@ch.abb.com<mailto:hadeli.had...@ch.abb.com>) 
<hadeli.had...@ch.abb.com<mailto:hadeli.had...@ch.abb.com>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hi all



Is the Defensics finding the only issue holding back the release?





Ravi:



> But on Defensics the issue reported as Authentication Bypass is different. 
> Here, the Defensics sends valid Username with no password, for which PCU400 
> responds with Authorization failure,

That’s as expected.



> then Defensics sends with invalid username with valid password (malformed 
> value) and determines that Authentication Bypass was possible.

Does this mean that any one of the passwords that are associated with a user on 
the device allows access regardless of the username?

Does authentication also work if an existing user name is used, but with a 
different user’s password?

What is the “malformed value”? The password was said to be correct…





Srikant:



Is the issue described above only allowing access to the PCUCAG module or to a 
wider set of functionality?



> In the current test scenario if authentication fails there is no possibility 
> to send a command to PCUCAG ,hence restricting the access for external 
> application to make any attempts to fail.

I’m not sure what this is supposed to say. The issue here is that 
authentication succeeds when it’s supposed to fail.



> The alternate solution suggested below is  to restrict the access to system 
> to only local system where in operator has to log locally to access PCUCAG 
> functionality , no external access to the system till the issue is resolved.

That’s the option that would prevent further release delays caused by the 
finding.





Cheers,

Sascha





From: Srikant Sana
Sent: Friday, 22 March 2019 10:33
To: Jocelyn Lau <jocelyn....@us.abb.com<mailto:jocelyn....@us.abb.com>>; 
V-Ravi-Chaitanya Chebolu 
<v-ravi-chaitanya.cheb...@in.abb.com<mailto:v-ravi-chaitanya.cheb...@in.abb.com>>;
 Anjana Rajan <anjana.ra...@in.abb.com<mailto:anjana.ra...@in.abb.com>>
Cc: Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>>; 
Brahmaji Naidu <brahmaji.na...@in.abb.com<mailto:brahmaji.na...@in.abb.com>>; 
Aneta Jaworska <aneta.jawor...@pl.abb.com<mailto:aneta.jawor...@pl.abb.com>>; 
Scott Pate <scott.p...@us.abb.com<mailto:scott.p...@us.abb.com>>; Mattias 
Gustin <mattias.gus...@se.abb.com<mailto:mattias.gus...@se.abb.com>>; Nitesh 
Srivastava <nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>>; 
Sascha Stoeter <sascha.stoe...@ch.abb.com<mailto:sascha.stoe...@ch.abb.com>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hi Jocelyn ,



PCU400 and PCUCAG details

PCU400 is front end which basically acts communication server between NM SCADA 
server and field RTUs/devices.

The module in testing here  is PCUCAG , which provide an interface to operator 
to enable/disable the communication details.

The data coming into and going out of PCU are written into log (trace) files 
and at the same time display the details on Putty (SSH) session through which 
the user is connected to the PCU application.

There is list of predefined commands  to enable/disable  logging , any other 
message coming to PCUCAG will be discarded if that does not meet standard 
syntax.

So PCUCAG core functionality is to inform the Protocol drivers in the system  
to enable/disable logs in PCU  and write the details to log/flat files , 
primarily to support in trouble shooting of the system in commission stage or 
later based on the need.



In the current test scenario if authentication fails there is no possibility to 
send a command to PCUCAG ,hence restricting the access for external application 
to make any attempts to fail.

Even if  this or any other application in PCU fails there is inbuilt mechanism 
to restart that.



The alternate solution suggested below is  to restrict the access to system to 
only local system where in operator has to log locally to access PCUCAG 
functionality , no external access to the system till the issue is resolved.



Please let me know if any further details are required on this.



Regards

Srikant





From: Jocelyn Lau
Sent: Friday, March 22, 2019 12:14 PM
To: Srikant Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>>; 
V-Ravi-Chaitanya Chebolu 
<v-ravi-chaitanya.cheb...@in.abb.com<mailto:v-ravi-chaitanya.cheb...@in.abb.com>>;
 Anjana Rajan <anjana.ra...@in.abb.com<mailto:anjana.ra...@in.abb.com>>
Cc: Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>>; 
Brahmaji Naidu <brahmaji.na...@in.abb.com<mailto:brahmaji.na...@in.abb.com>>; 
Aneta Jaworska <aneta.jawor...@pl.abb.com<mailto:aneta.jawor...@pl.abb.com>>; 
Scott Pate <scott.p...@us.abb.com<mailto:scott.p...@us.abb.com>>; Mattias 
Gustin <mattias.gus...@se.abb.com<mailto:mattias.gus...@se.abb.com>>; Nitesh 
Srivastava <nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>>; 
Sascha Stoeter <sascha.stoe...@ch.abb.com<mailto:sascha.stoe...@ch.abb.com>>
Subject: Re: compilation issue found in libssh-0.7.6 on VS2017



[+Sascha]



Hello Srikant…



We cannot change the severity without more information from the vendor.  It 
sounds like this ticket has been opened now and we can try to escalate this.  
(@Rchaitanya Chebolu<mailto:v-ravi-chaitanya.cheb...@in.abb.com> / @Anjana 
Rajan<mailto:anjana.ra...@in.abb.com>: can you help with this?)



In parallel while we work with the test vendor, let’s start the conversation 
with Sascha regarding a possible exception.  If you can provide more 
information to him, I have a meeting with him tomorrow afternoon to sync up and 
we can discuss this topic in our agenda.



Regards,

Jocelyn





From: Srikant Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>>
Date: Thursday, March 21, 2019 at 11:17 PM
To: V-Ravi-Chaitanya Chebolu 
<v-ravi-chaitanya.cheb...@in.abb.com<mailto:v-ravi-chaitanya.cheb...@in.abb.com>>,
 Jocelyn Lau <jocelyn....@us.abb.com<mailto:jocelyn....@us.abb.com>>
Cc: Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>>, 
Anjana Rajan <anjana.ra...@in.abb.com<mailto:anjana.ra...@in.abb.com>>, 
Brahmaji Naidu <brahmaji.na...@in.abb.com<mailto:brahmaji.na...@in.abb.com>>, 
Aneta Jaworska <aneta.jawor...@pl.abb.com<mailto:aneta.jawor...@pl.abb.com>>, 
Scott Pate <scott.p...@us.abb.com<mailto:scott.p...@us.abb.com>>, Mattias 
Gustin <mattias.gus...@se.abb.com<mailto:mattias.gus...@se.abb.com>>, Nitesh 
Srivastava <nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hi Jocelyn & Ravi ,



Thank you for the support  and inputs on analysis  of the reported issue.

As it seems to be an issue specific to tool can we have an exception or 
recategorization of issue currently it reported  as critical issue, as it may 
take time to resolve from Vendor side as well.



Alternatively we can restrict the access of  application to Local Host only 
where in if required the Operator will connect to PCU system using remote 
desktop.  Currently an operator can connect to the system using Putty (SSH) 
from a remote system.



We have a G5 planned by end of this month so please let us know how we can 
proceed further on this .



Regards

Srikant





From: V-Ravi-Chaitanya Chebolu
Sent: Friday, March 22, 2019 9:09 AM
To: Jocelyn Lau <jocelyn....@us.abb.com<mailto:jocelyn....@us.abb.com>>; Nitesh 
Srivastava <nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>>
Cc: Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>>; 
Anjana Rajan <anjana.ra...@in.abb.com<mailto:anjana.ra...@in.abb.com>>; Srikant 
Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>>; Brahmaji Naidu 
<brahmaji.na...@in.abb.com<mailto:brahmaji.na...@in.abb.com>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hello Jocelyn,



Thanks for your mail. I have already raised a support query with Synopsis and 
awaiting their response. I will update you once I get any update from them.



Regards,

Ravi Chaitanya.

Device Security Assurance Centre



For any DSAC enquiries, please send an E-mail to 
in-d...@abb.com<mailto:in-d...@abb.com>

To get news and update on DSAC, please subscribe to DSAC mailing 
list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>.







From: Jocelyn Lau
Sent: Thursday, March 21, 2019 8:02 PM
To: V-Ravi-Chaitanya Chebolu 
<v-ravi-chaitanya.cheb...@in.abb.com<mailto:v-ravi-chaitanya.cheb...@in.abb.com>>;
 Nitesh Srivastava 
<nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>>
Cc: Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>>; 
Anjana Rajan <anjana.ra...@in.abb.com<mailto:anjana.ra...@in.abb.com>>; Srikant 
Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>>; Brahmaji Naidu 
<brahmaji.na...@in.abb.com<mailto:brahmaji.na...@in.abb.com>>
Subject: Re: compilation issue found in libssh-0.7.6 on VS2017



Hello Ravi..



Thank you for the detailed description/background for this issue.  I would 
recommend that we first open a support ticket with Synopsys to ask them about 
this discrepancy.  Based on their analysis, we can then discuss the question of 
the severity of this issue.



Thanks,

Jocelyn





From: V-Ravi-Chaitanya Chebolu 
<v-ravi-chaitanya.cheb...@in.abb.com<mailto:v-ravi-chaitanya.cheb...@in.abb.com>>
Date: Thursday, March 21, 2019 at 5:01 AM
To: Jocelyn Lau <jocelyn....@us.abb.com<mailto:jocelyn....@us.abb.com>>, Nitesh 
Srivastava <nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>>
Cc: Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>>, 
Anjana Rajan <anjana.ra...@in.abb.com<mailto:anjana.ra...@in.abb.com>>, Srikant 
Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>>, Brahmaji Naidu 
<brahmaji.na...@in.abb.com<mailto:brahmaji.na...@in.abb.com>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hello Jocelyn,



In PCU400, there is a high severity issue called “Authentication Bypass” 
vulnerability.

Earlier, PCU400 was using libSSH version less than 0.7.6 which had 
Authentication Bypass vulnerability which was reported by both Nessus and 
Defensics.

So, PCU400 team has updated the libSSH package to 0.7.7, which has mitigation 
for Authentication Bypass.



Now when Nessus was run (with libssh 0.7.6 or 0.7.7) this Authentication Bypass 
was not reported. As Authentiction Bypass was observed for lower versions than 
0.7.6, which is occurred by, a user could just skip the authentication process 
and have his client send the SSH2_MSG_USERAUTH_SUCCESS and bypass all checks 
instead of sending SSH2_MSG_USERAUTH_REQUEST.



But on Defensics the issue reported as Authentication Bypass is different. 
Here, the Defensics sends valid Username with no password, for which PCU400 
responds with Authorization failure, then Defensics sends with invalid username 
with valid password (malformed value) and determines that Authentication Bypass 
was possible.



So, the issue is not fixed as per Defensics.



But the BU says that this service is not critical. Can you please let them 
know, if it is possible to change the severity level from high to medium.



Regards,

Ravi Chaitanya.

Device Security Assurance Centre



For any DSAC enquiries, please send an E-mail to 
in-d...@abb.com<mailto:in-d...@abb.com>

To get news and update on DSAC, please subscribe to DSAC mailing 
list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>.







From: Nitesh Srivastava
Sent: Thursday, March 21, 2019 2:19 AM
To: V-Ravi-Chaitanya Chebolu 
<v-ravi-chaitanya.cheb...@in.abb.com<mailto:v-ravi-chaitanya.cheb...@in.abb.com>>
Cc: Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>>; 
Anjana Rajan <anjana.ra...@in.abb.com<mailto:anjana.ra...@in.abb.com>>; Srikant 
Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>>; Brahmaji Naidu 
<brahmaji.na...@in.abb.com<mailto:brahmaji.na...@in.abb.com>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hi Ravi,



We have tested our PCU400 with all the latest versions of libssh(0.7.6 & 0.8.7) 
and resolved Authentication Bypass issue successfully.



For the issue reported in defensics, Authentication Bypass was successful by 
entering invalid string in username field:  I must say this situation will 
never occur in PCU400 system. The reason is, in PCU400 system pcucag run as 
background process and used to collect the logs for PCU400 bug investigation. 
To connect with pcucag, process in PCU400 is done through localhost via any 
libssh based application (Putty) and this processing is done after connecting 
via Remote desktop connection (Encrypted method) at customer place by using 
authorized PSO/Customer person.



Also in PCU400 system, pcucag is not the critical process and the connections 
are discarding for invalid username and password. I’ll suggest please consider 
this as an exceptional issue.



Please suggest and let me know about your concern.



Regards,

Nitesh







—

Nitesh Srivastava

Network Control Solutions



ABB Ability & Innovation Centre

3rd Floor, Bhoruka Tech Park

Mahadevpura Main Road,

560048, Bengaluru (India)

Mobile: +91 9379416369

abb.com



From: V-Ravi-Chaitanya Chebolu
Sent: Monday, March 11, 2019 10:03 AM
To: Srikant Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>>; 
Nitesh Srivastava 
<nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>>
Cc: Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>>; 
Anjana Rajan <anjana.ra...@in.abb.com<mailto:anjana.ra...@in.abb.com>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hello Srikanth,



We are still awaiting response from Defensics.



The issues seems to be different in a way that the one fixed by libSSH versin 
0.7.6 is Authentication Bypass which is occurred by, a user could just skip the 
authentication process and have his client send the SSH2_MSG_USERAUTH_SUCCESS 
and bypass all checks instead of sending SSH2_MSG_USERAUTH_REQUEST. This issue 
is not reported now.



But the one reported in defensics is different, in the Authorization Service 
Request Message message Defensics is appending invalid string in username field 
and it reported that Autentication Bypass was successful.



Regards,

Ravi Chaitanya.

Device Security Assurance Centre



For any DSAC enquiries, please send an E-mail to 
in-d...@abb.com<mailto:in-d...@abb.com>

To get news and update on DSAC, please subscribe to DSAC mailing 
list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>.







From: Srikant Sana
Sent: Monday, March 11, 2019 8:59 AM
To: V-Ravi-Chaitanya Chebolu 
<v-ravi-chaitanya.cheb...@in.abb.com<mailto:v-ravi-chaitanya.cheb...@in.abb.com>>;
 Nitesh Srivastava 
<nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>>
Cc: Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hi Ravi ,



Is the downgraded version of Libssh also showing same issues , If so when we 
can expect a response from the Defensics or is there way to take exception for 
this?

Based on your input , the  Gate meeting has to be planned .



Regards

Srikant



From: V-Ravi-Chaitanya Chebolu
Sent: Thursday, March 07, 2019 5:34 PM
To: Nitesh Srivastava 
<nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>>
Cc: Srikant Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>>; 
Manish Singh <manish.si...@in.abb.com<mailto:manish.si...@in.abb.com>>
Subject: RE: compilation issue found in libssh-0.7.6 on VS2017



Hello Nitesh,



This issue is reported by Defensics and we have raised a support case with 
them, once we get a response from them, we will let you know.



Regards,

Ravi Chaitanya.

Device Security Assurance Centre



For any DSAC enquiries, please send an E-mail to 
in-d...@abb.com<mailto:in-d...@abb.com>

To get news and update on DSAC, please subscribe to DSAC mailing 
list<http://www.abb.com/global/gad/GAD01626.nsf/0/60AE9D386FE86E1DC12582140043809E?OpenDocument>.







From: Nitesh Srivastava
Sent: Thursday, March 07, 2019 5:20 PM
To: V-Ravi-Chaitanya Chebolu 
<v-ravi-chaitanya.cheb...@in.abb.com<mailto:v-ravi-chaitanya.cheb...@in.abb.com>>
Cc: Srikant Sana <srikant.s...@in.abb.com<mailto:srikant.s...@in.abb.com>>
Subject: FW: compilation issue found in libssh-0.7.6 on VS2017



Hi Ravi,



We have checked with libssh.org and as per them “Authentication bypass 
vulnerability" is fixed in version 0.7.7.



Below is the response, Please have a look.



Regards,

Nitesh



-----Original Message-----
From: Andreas Schneider <a...@cryptomilk.org<mailto:a...@cryptomilk.org>>
Sent: Thursday, March 07, 2019 4:24 PM
To: libssh@libssh.org<mailto:libssh@libssh.org>
Cc: Nitesh Srivastava 
<nitesh.srivast...@in.abb.com<mailto:nitesh.srivast...@in.abb.com>>
Subject: Re: compilation issue found in libssh-0.7.6 on VS2017



CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.





On Wednesday, March 6, 2019 7:05:22 PM CET Nitesh Srivastava wrote:

> Hi Andreas,

>

> Thanks for reply. I used the libssh-0.7.7 version and its compiled for me.

>

> But during my Product device security testing through synopsis tool

> its failed for "Authentication bypass vulnerability" in version 0.7.7.



I would argue that this tool is broken. We have unit tests which proof that it 
is fixed ;-)



--

Andreas Schneider                 
a...@cryptomilk.org<mailto:a...@cryptomilk.org>

GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

--- End Message ---