Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General
Reload this Page Critical Secure Bug in openSSH!
FAQ Calendar Search Today's Posts Mark Forums Read

Notices

Closed Thread
 
Thread Tools Display Modes
  #1  
Old 01-16-2016, 11:55 PM
MUQRIN MUQRIN is offline
Registered User
  
Join Date: Jan 2016
Posts: 1
Critical Secure Bug in openSSH!
Gentlemen,

There's some new about a critical bug when using openSSH. We would like to be sure that SecureCRT is protected against this security bug. Please refer to the link below:
http://thehackernews.com/2016/01/ope...okeys.html?m=1

Regards,
  #2  
Old 01-18-2016, 07:13 AM
bgagnon bgagnon is offline
VanDyke Technical Support
  
Join Date: Oct 2008
Posts: 4,636
Hi Muqrin,

Our initial findings indicate that the CVE-2016-0777 (information leak) and CVE-2016-0778 (buffer overflow) vulnerabilities are specific to OpenSSH client code from version 5.4 to 7.1.

VanDyke Software products do not share/use OpenSSH code. Therefore this vulnerability does not apply to any VanDyke Software product.

If our investigation yields anything other than our initial findings, we will be sure to post in this forum thread.

If you prefer direct email notification, send an email to support@vandyke.com and include "Forum Thread #12206" in the subject line.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Last edited by jdev; 01-18-2016 at 10:53 AM.
  #3  
Old 01-19-2016, 03:08 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
  
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 1,099
Summary
CVE-2016-0777 (information leak) and CVE-2016-0778 (buffer overflow) vulnerabilities are not applicable to VanDyke Software products.

Description
CVE-2016-0777 (information leak) and CVE-2016-0778 (buffer overflow) vulnerabilities are specific to OpenSSH client code from version 5.4 to 7.1 in which some left-over code from an experimental "roaming" feature is the root cause of these vulnerabilities.
VanDyke Software products do not share or use OpenSSH code, nor is the "roaming" feature implemented or supported in any way. These vulnerabilities are not applicable to any VanDyke Software product.
Products Affected
These vulnerabilities are not present in any VanDyke Software products.

Details
The information leak (CVE-2016-0777) is specific to the OpenSSH support of a "resume@appgate.com" key exchange algorithm and an SSH protocol request of "roaming@appgate.com", both of which are directly tied to OpenSSH's experimental "roaming" feature, which is not present in any VanDyke Software product.

The buffer overflow vulnerability (CVE-2016-0778) is also specific to OpenSSH support of the experimental "roaming" feature, which is also not present in any VanDyke Software product.

Recommended Solution
VanDyke Software products aren’t vulnerable to either CVE-2016-0777 or CVE-2016-0778.

Official Postings
https://www.qualys.com/2016/01/14/cv...-2016-0778.txt

.
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Closed Thread

Tags
openssh , ssh issue

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -6. The time now is 07:45 AM.