Nortel Networks Information for VU#369347

OpenSSH vulnerabilities in challenge response handling



Vendor Statement

Nortel Networks has concluded its portfolio review and has determined that the following two products are shipped with OpenSSH:

  1. In STORM, release SN04, the challenge response authentication feature is not used and therefore Nortel Networks recommends that it be disabled, which will not impact the product. The recommendations in CERT Advisory CA-2002-18 to disable features should be followed.
  2. The SFTP sshd server on the SuperNode Data Manager is not affected by the vulnerabilities noted in CERT Advisory CA-2002-18 because the challenge response and separation of privileges mechanisms are not enabled as shipped with ASG Passwerks v3.x.

The core OpenSSH distribution will be upgraded to v3.4 with the SN05 release.

For more information please contact Nortel at:
    North America: 1-8004NORTEL or 1-800-466-7835

    Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009

Contacts for other regions are available at

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Vendor References



    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.