Critical key exchange vulnerability in PuTTY

PuTTY, the SSH client has been updated with various security patches, while its main maintainers recently admitted that a critical vulnerability was corrected, reported online ethical hacking training experts from International Institute of Cyber Security.

Among the fixes received recently PuTTY include new features to solve multiple vulnerabilities in the Telnet and SSH client; according to the online ethical hacking training experts, most of the vulnerabilities were discovered thanks to the vulnerability bounty program sponsored by the European Union.

PuTTY version 0.71 includes corrections for:

  • Remotely executable memory overwrite
  • A possible recycling of random numbers used in cryptography
  • Hijacking through malicious files on Windows
  • Remotely executable buffer overflow on Unix
  • Possibility of generating denial of service conditions

According to the online ethical hacking training experts, the main maintainers of PuTTY believe that, among the vulnerabilities reported in the EU bounty program, the most serious is vuln-dss-verify; “Through a Man-in-the-Middle (MiTM) attack, the EDL host SSH keys could be omitted completely”, the PuTTY maintenance managers mentioned.

Fortunately, this vulnerability never appeared in an available version of PuTTY, but it was presented when the code was rewritten for the security of the side channel, so only long before the release of version 0.71.

Another of the flaws detected is that PuTTY does not impose a minimum of characters during the RSA key exchange, which generates an integer overflow. “This could be exploited by a server whose host key is not authenticated”.

Finally, in version 0.71 was corrected a vulnerability that involved the injection of a malicious help file in the root directory of PuTTY, although the maintainers commented that those who use the Windows .msi installer are not affected by this flaws.

This research project was sponsored by the EU Directorate-General for Informatics, which granted more than $17.5k USD in rewards.