Critical Update to PuTTY
Well, it seems PuTTY got an update that patched several vulnerabilities. According to The Hacker News, there were 8 severe-rated vulnerabilities discovered. The new version of PuTTY (v0.71) has been released while patching the following vulnerabilities.
1) Authentication Prompt Spoofing — Since PuTTY doesn’t have a way to indicate whether a piece of terminal output is genuine, the user-interface issue could be exploited by a malicious server to generate a fake authentication prompt at the client side, prompting victims to enter their private key passphrases.
“If the server had also acquired a copy of your encrypted key file (which, for example, you might have considered safe to copy around because it was securely encrypted), then this would give it access to your private key,” the advisory explains.
2) Code Execution via CHM Hijacking — When a user launches the online
help within the PuTTY GUI tools, the software tries to locate its help file
alongside its own executable.
This behavior could allow an attacker to trick the user into executing
malicious code on the client system via the hijacking CHM file.
“If you were running PuTTY from a directory that unrelated code could
arrange to drop files into, this means that if somebody contrived to get a file
called putty.chm into that directory, then PuTTY would believe it was the real
help file, and feed it to htmlhelp.exe.”
3) Buffer Overflow in Unix PuTTY Tools — According to the advisory, if a
server opens too many port forwardings, PuTTY for Unix does not bounds-check
the input file descriptor it collects while monitoring the collections of
active Unix file descriptors for activity, leading to a buffer overflow issue.
“We don’t know if this was remotely exploitable, but it could at least be remotely triggered by a malicious SSH server, if you enabled any of the options that allow the server to open a channel: remote-to-local port forwarding, agent forwarding or X11 forwarding,” the advisory says.
4) Reusing Cryptographic Random Numbers — This issue resides in the way
cryptographic random number generator in PuTTY, occasionally using the same
batch of random bytes twice.
“This occurred because of a one-byte buffer overflow in the random pool code. If entropy from an external source was injected into the random pool exactly when the current-position index was pointing at the very end of the pool, it would overrun the pool buffer by one byte and overwrite the low byte of the position index itself.”
5) Integer Overflow Flaw — All prior versions of PuTTY suffers an
Integer overflow issue due to missing key-size check-in RSA key exchange.
A remote server can trigger the vulnerability by sending a short RSA key,
leading to an integer overflow and uncontrolled overwriting of memory.
PuTTY developers are not sure if this flaw can be exploited to gain control
over the client, but since the issue occurs during key exchange and happens
before host key checking, the overflow can be induced by a MitM attack even if
the middle man does not know the correct host key.
So even if you trust the server you think you are connecting to, you are not
safe.”
6, 7 and 8) Terminal DoS Attacks — Last three vulnerabilities in PuTTY
allows a server to crash, or slow down client’s terminal by sending different
text outputs.
Servers can send a long unbroken string of Unicode characters to the client’s
terminal, which could lead to a denial-of-service attack by causing the system
to allocate potentially unlimited amounts of memory.
The second DoS attack can be triggered by sending combining characters,
double-width text, an odd number of terminal columns, and GTK to the client’s
terminal in output.
In the third DoS attack, by sending width-2 characters used by Chinese,
Japanese and Korean to the client, PuTTY’s terminal emulator can be forced to
crash.
If you use PuTTY, make sure you download and use the latest version of it.