Forum Discussion
CVE-2023-28531 OpenSSH
Hello Everyone,
May I ask if OpenSSH tool in Windows Server is affected by this vulnerability CVE-2023-28531 reported by NVD(link below) ?
https://nvd.nist.gov/vuln/detail/CVE-2023-28531
The known affected software configurations only states openBSD products, so i am wondering whether this affects Windows as well.
- I can't answer your question directly, but this brings up a bigger issue I have with OpenSSH in Windows. While I think it was a good move to include this in the OS, I'm disappointed that Microsoft doesn't keep the product patched like it does for the rest of the operating system. I looked into this recently with the Terrapin vulnerability (which all bundled versions of OpenSSH in Windows currently has). There were two options to deal with the problem:
1) Research and develop an appropriate ssh config file to disable the features that were vulnerable. This turned out to be a rather difficult and involved process.
2) Remove the Windows feature and install the latest OpenSSH manually. Caveat here is that it is beta software which the disclaimer is to not use in a production environment. Care must be taken as the default installer will install both ssh server AND client, and you will turn your Windows device into a possibly even more vulnerable ssh server unless you know what you are doing.
Since Microsoft has made other good strides for interoperability with Linux and overall security of the Windows OS, why is this very common tool seemingly "ignored".
