PuTTY which is a popular SSH client program has released its software updates which can patch 8 high-severity security vulnerabilities.
Using PuTTY, the users can remotely access computers over SSH, Telnet, and Rlogin network protocols and is one of the most widely used open-source client-side programs.
The latest version of PuTTy is 0.71 for Windows and Unix operating systems and it is being released after around 20 months of its last version.
All the previous versions of the PuTTY software were found to be vulnerable to multiple security vulnerabilities that permitted a malicious or a compromised server to attack a client’s system in different ways.
The PuTTY 0.71 has patched 8 vulnerabilities and let’s take a look at them.
Authentication Prompt Spoofing
PuTTY cannot indicate whether a piece of terminal output is genuine or not. So, the user-interface issue can be easily exploited by a malicious server to generate a fake authentication prompt at the client side. This prompts the victims to enter their private key passphrases.
According to the advisory, “If the server had also acquired a copy of your encrypted key file (which, for example, you might have considered safe to copy around because it was securely encrypted), then this would give it access to your private key.”
Code Execution via CHM Hijacking
When a user initiates the online help within the PuTTY GUI tools, it tries to locate the help file alongside its own executable. This would allow an attacker to trick the user into executing malicious code on the client system by hijacking CHM file.
If the user runs PuTTY from a directory that unrelated code could arrange to drop files into, then if somebody forced to get a file called putty.chm into that directory, then PuTTY would believe it was the real help file, and feed it to htmlhelp.exe.
Buffer Overflow in Unix PuTTY Tools
When a server opens several port forwarding, PuTTY for Unix does not bounds-check the input file descriptor it collects while monitoring the collections of active Unix file descriptors for activity, leading to a buffer overflow issue.
Even though it is not sure if it was remotely exploitable, it could at least be remotely triggered by a malicious SSH server, if you enable any of the options that allow the server to open a channel: remote-to-local port forwarding, agent forwarding or X11 forwarding.
Reusing Cryptographic Random Numbers
This issue lies in the cryptographic random number generator in PuTTY, occasionally using the same batch of random bytes twice.
Integer Overflow Flaw
All earlier versions of PuTTY suffer an Integer overflow issue due to missing key-size check-in RSA key exchange. A remote server can trigger the vulnerability by sending a short RSA key, leading to an integer overflow and uncontrolled overwriting of memory.
Terminal DoS Attacks
The last three vulnerabilities in PuTTY allows a server to crash, or slow down client’s terminal by sending different text outputs.
Servers send a long unbroken string of Unicode characters to the client’s terminal, that can lead to a denial-of-service attack by causing the system to allocate potentially unlimited amounts of memory.
The second DoS attack can be initiated by sending combining characters, double-width text, an odd number of terminal columns, and GTK to the client’s terminal in output.
In the third DoS attack, sending width-2 characters used by Chinese, Japanese and Korean to the client, PuTTY’s terminal emulator can be forced to crash.
All users of PuTTY are highly recommended to download and use the latest version of the software.