Critical Update to PuTTY

For those who don’t know, PuTTY is an almost ubiquitous tool in the Managed RSP services side of the tech industry.  On site, it allows users terminal access, and control, into pretty much anything attached to a server that uses a command line interface.  It is rarely updated so to have it updated for 8 separate vulnerabilities is a bit surprising to the community at large.

Well, it seems PuTTY got an update that patched several vulnerabilities.  According to The Hacker News, there were 8 severe-rated vulnerabilities discovered.  The new version of PuTTY (v0.71) has been released while patching the following vulnerabilities.

1) Authentication Prompt Spoofing — Since PuTTY doesn’t have a way to indicate whether a piece of terminal output is genuine, the user-interface issue could be exploited by a malicious server to generate a fake authentication prompt at the client side, prompting victims to enter their private key passphrases.

“If the server had also acquired a copy of your encrypted key file (which, for example, you might have considered safe to copy around because it was securely encrypted), then this would give it access to your private key,” the advisory explains.

2) Code Execution via CHM Hijacking — When a user launches the online help within the PuTTY GUI tools, the software tries to locate its help file alongside its own executable.

This behavior could allow an attacker to trick the user into executing malicious code on the client system via the hijacking CHM file.

“If you were running PuTTY from a directory that unrelated code could arrange to drop files into, this means that if somebody contrived to get a file called putty.chm into that directory, then PuTTY would believe it was the real help file, and feed it to htmlhelp.exe.”

3) Buffer Overflow in Unix PuTTY Tools — According to the advisory, if a server opens too many port forwardings, PuTTY for Unix does not bounds-check the input file descriptor it collects while monitoring the collections of active Unix file descriptors for activity, leading to a buffer overflow issue.

“We don’t know if this was remotely exploitable, but it could at least be remotely triggered by a malicious SSH server, if you enabled any of the options that allow the server to open a channel: remote-to-local port forwarding, agent forwarding or X11 forwarding,” the advisory says.

4) Reusing Cryptographic Random Numbers — This issue resides in the way cryptographic random number generator in PuTTY, occasionally using the same batch of random bytes twice.

“This occurred because of a one-byte buffer overflow in the random pool code. If entropy from an external source was injected into the random pool exactly when the current-position index was pointing at the very end of the pool, it would overrun the pool buffer by one byte and overwrite the low byte of the position index itself.”

5) Integer Overflow Flaw — All prior versions of PuTTY suffers an Integer overflow issue due to missing key-size check-in RSA key exchange.

A remote server can trigger the vulnerability by sending a short RSA key, leading to an integer overflow and uncontrolled overwriting of memory.

PuTTY developers are not sure if this flaw can be exploited to gain control over the client, but since the issue occurs during key exchange and happens before host key checking, the overflow can be induced by a MitM attack even if the middle man does not know the correct host key.

So even if you trust the server you think you are connecting to, you are not safe.”

6, 7 and 8) Terminal DoS Attacks — Last three vulnerabilities in PuTTY allows a server to crash, or slow down client’s terminal by sending different text outputs.

Servers can send a long unbroken string of Unicode characters to the client’s terminal, which could lead to a denial-of-service attack by causing the system to allocate potentially unlimited amounts of memory.

The second DoS attack can be triggered by sending combining characters, double-width text, an odd number of terminal columns, and GTK to the client’s terminal in output.

In the third DoS attack, by sending width-2 characters used by Chinese, Japanese and Korean to the client, PuTTY’s terminal emulator can be forced to crash.

If you use PuTTY, make sure you download and use the latest version of it.


Leave a Comment