Security

PuTTY in your hands: SSH client gets patched after RSA key exchange memory vuln spotted

Bunch of bugs stomped with version 0.71

75 Got Tips?

Venerable SSH client PuTTY has received a pile of security patches, with its lead maintainer admitting to the The Register that one fixed a "'game over' level vulnerability".

The fixes implemented in PuTTY over the weekend include new features plugging a plethora of vulns in the Telnet and SSH client, most of which were uncovered as part of an EU-sponsored HackerOne bug bounty.

Version 0.71 of PuTTY includes fixes for:

Lead maintainer and "benevolent dictator" of all things PuTTY Simon Tatham told El Reg that "of all the things found by the EU bug bounty programme, the most serious was vuln-dss-verify. That really is a 'game over' level vulnerability for a secure network protocol: a MITM attacker could bypass the SSH host key system completely."

"Luckily," he continued, "it never appeared in a released version of PuTTY: it was introduced during work to rewrite the crypto for side-channel safety, and spotted only a few weeks later by a bug-bounty participant, well before the release came out. So the EU protected almost everybody from that one."

Another one of the patched vulns was PuTTY not enforcing minimum key lengths during RSA key exchange, creating an integer overflow situation. Tatham explained that this "could be triggered by a server whose host key hasn't yet been authenticated. So you'd not only have been at risk from servers you actually trust turning out to be untrustworthy; you were also at risk from anyone who could MITM your connection to such a server, because the usual mechanism that protects you from MITM has not yet kicked in at that stage in the connection."

The other major vuln patched in v0.71 involved planting a malicious help file in the PuTTY root directory, something Tatham said wouldn't have applied to those using the regular Windows .msi installer.

Opened in January, the EU review of PuTTY paid out more than $17,500 and was funded by the EU Directorate-General for Informatics, which describes itself as "providing digital services that support other Commission departments". The bounty formed a wider part of the EU's ongoing Free and Open Software Audit, or FOSSA. ®

Get our Security newsletter
75 Comments

Keep Reading

$2.07bn? That's one Dell of a deal to offload infosec biz RSA

Texan tech giant hacks off part of security real estate, sells to consortium

Roses are red, IBM is Big Blue. It's out of RSA Conference after coronavirus review: IBMers will not attend infosec event over 'health concerns'

Updated Who will join the IT giant in staying away from San Francisco?

RSA Conference loses one more abbreviated tech giant after AT&T disconnects over novel coronavirus fears

RSA Alternative headline: Killer bio-nasty linked to former alien vault and cyber-hacker gathering

California tech industry gets its first big coronavirus hit: RSA Conference attendee infected, in serious condition

Updated NASA also struck, more conferences cancelled, WISPA is moving ahead

'I give fusion power a higher chance of succeeding than quantum computing' says the R in the RSA crypto-algorithm

RSA Expert panel sesh turns heated on infosec conference's opening day

Adi Shamir visa snub: US govt slammed after the S in RSA blocked from his own RSA conf

RSA 'If someone like me can't get in to give a keynote, perhaps it's time we rethink where we organize our events'

Keen to check for 'abnormal' user behaviours? Microsoft talks insider risk, AWS imports and compliance at infosec shindig RSA

RSA Before you remove the mote from thy hacker's eye, remove the beam from the eyes of your, er, Teams

Rowhammer rides again as FPGA attack, RSA again reportedly up for sale, anti-theft kit to nuke laptops, etc

Roundup Including: Tesla and a town hit hard by spear-phish bridge scammers

No way, RSA! Security conference's mobile app embarrassingly insecure

Sorry about the hard-coded passwords, can we sell you some crypto now?

RSA coughs to critical-rated bug in its authentication SDK

Yup, that means if you code with it, your projects inherit the problem. Yay!

Tech Resources

Webcast Slide Deck | Remote and branch office IT success

As organisations are becoming more digital and dispersed, it is increasingly important to have an agile approach to delivering IT at remote, branch (ROBO) and edge locations

Cybersecurity Best Practices for Business Resilience Guide

Download Rapid7's Cybersecurity Best Practices for Business Resilience series.

Anatomy of a Private Cloud

Learn the key elements that combined, build a true Private Cloud

Webcast Slide Deck | Practical tips for Office 365 tenant-to-tenant migration

You merged. You sold a company. You’re migrating to a sovereign data centre. Whatever the reason for your Office 365 tenant-to-tenant migration, it can be one of the most important and stressful projects you will ever take on. It will be a session packed with practical help that might just save your job … and your sanity.