Putty security vulnerabilities

[myselfolli]

A number of security flaws have been found in the SSH-Client Putty -> Original article (GERMAN)

 

I wasn't able to find an english source, but I did my best to translate all important aspects of the article.

 

Quote

[Translated from German]

The developers of the free software 'Putty' have released a new version, that fixes multiple security flaws. The most critical bug is a memory-corruption bug, which allowed overwriting of memory blocks. This could be done before the server identity had been checked.

 

[Original Quote]

Die Entwickler der freien Software Putty haben eine neue Version veröffentlicht, in der mehrere Sicherheitslücken behoben wurden. Der kritischste Bug ist eine Memory-Corruption-Lücke, die das Überschreiben von Speicher erlaubte.Diese konnte von einem bösartigen Server noch vor der Überprüfung der Serveridentität ausgelöst werden.

Numerous problems have been found by the EU's FOSSA project (free and open source software auditing), in which people, who managed to find and report security flaws in software, could be rewarded financially. This Bug-Bounty project for putty has obviously worked.

 

Quote

[Translated from German]

The mentioed memory-corruption bug occurs when handling RSA-keys and could have been used by an attacker to execute malitious code on the users system. There was also a bug with the handling of randomly generated numbers. On windows, a help-file sitting in the same directory as the putty-file, could have been used for an attack. On Unix there was a buffer overflow with forwarding functions.

[Original Quote]

Die bereits genannte Memory-Corruption-Lücke tritt bei der Verarbeitung von RSA-Schlüsseln auf und könnte von einem Netzwerkangreifer genutzt werden, um Schadcode auf dem System eines Anwenders auszuführen. Weiterhin wurde ein Fehler bei der Verwendung von Zufallszahlen gefunden. Unter Windows kann eine Help-Datei, die sich im selben Verzeichnis wie die Putty-Datei befindet, für Angriffe genutzt werden. Auf Unix-Systemen gibt es zudem einen Buffer Overflow bei Forwarding-Funktionen.

 

Quote

[Translated from German]
Even users, that don't use putty directly may be affected, since a sizeable number of graphical frontends for SSH and the associated SFTP-protocol use putty's code.

[Original Quote]
Auch Anwender, die Putty nicht direkt nutzen, sind möglicherweise betroffen, denn eine ganze Reihe von grafischen Frontends für SSH und das zugehörige Dateiübertragungsprotokoll SFTP setzen den Code von Putty ein

AFAIK the bugs have been fixed in putty's latest update, there was also an update for FileZilla (which is probably the most used graphical frontend for SSH/SFTP), but the patch notes only mention the bug concerning the RSA-key. As for WinSCP, according to the bug tracker, the bugs are still being worked on, but no update has been released yet.
 

My understanding is, that the security flaws were very situational and mostly required access to the users network, but I'll still of course update everything and steer clear of using FileZilla for a few days.

[Sir Asvald]

I AM LITERALLY USING PUTTY TO CONFIGURE MY DAMN CISCO ROUTER... !!!!

 

WHY DOES THIS HAPPEN TO ME.

 

Back to being normal. Well, this sucks. Now I have to use something else....

[Ashley MLP Fangirl]

who still uses that? SSH is built into all the major OS's now. just open command prompt on Windows or the terminal on macOS and Linux and you can use SSH. 

[2FA]

1 minute ago, firelighter487 said:

who still uses that? SSH is built into all the major OS's now. just open command prompt on Windows or the terminal on macOS and Linux and you can use SSH. 

Honestly the only thing I've used it for recently was a serial connection.

[Ashley MLP Fangirl]

Just now, 2FA said:

Honestly the only thing I've used it for recently was a serial connection.

on linux and macOS you can do: screen /dev/tty.usbserial

 

if you have a usb serial adaptor that is. on Windows i don't know. 

 

btw if that command doesn't work the serial adaptor has a different name in /dev. to figure out what it needs to be use: ls /dev/*usb*

 

that will show the correct name. 

[mynameisjuan]

5 minutes ago, firelighter487 said:

who still uses that? SSH is built into all the major OS's now. just open command prompt on Windows or the terminal on macOS and Linux and you can use SSH. 

As an ISP engineer, we all use putty. Enterprise gear rarely has any configuration on them and putty is NEEDED for console. Even then its ssh from putty to LAN gear.

[Ashley MLP Fangirl]

1 minute ago, mynameisjuan said:

As an ISP engineer, we all use putty. Enterprise gear rarely has any configuration on them and putty is NEEDED for console. Even then its ssh from putty to LAN gear.

you don't need putty for console or ssh. see my posts above yours. 

[mynameisjuan]

1 minute ago, firelighter487 said:

you don't need putty for console or ssh. see my post above yours. 

6 minutes ago, firelighter487 said:

if you have a usb serial adaptor that is. on Windows i don't know. 

Guess what we use (and Windows built in linux support is shit with serial adapters). Ive been down this route before

 

[Ashley MLP Fangirl]

1 minute ago, mynameisjuan said:

Guess what we use (and Windows built in linux support is shit with serial adapters). Ive been down this route before

ssh is built into Windows. serial is indeed a different story. 

[mynameisjuan]

1 minute ago, firelighter487 said:

ssh is built into Windows. serial is indeed a different story. 

I know ssh is built in and serial can be done through powershell but not worth my time farting with it every time

[Ashley MLP Fangirl]

Just now, mynameisjuan said:

I know ssh is built in and serial can be done through powershell but not worth my time farting with it every time

fair enough. i personally find CLI way faster than a GUI app for that sort of stuff but everyone has different workflows. 

[2FA]

12 minutes ago, firelighter487 said:

on linux and macOS you can do: screen /dev/tty.usbserial

 

if you have a usb serial adaptor that is. on Windows i don't know. 

 

btw if that command doesn't work the serial adaptor has a different name in /dev. to figure out what it needs to be use: ls /dev/*usb*

 

that will show the correct name. 

nah it was serial to serial and the command for that wouldn't work for whatever reason, just resulted in a blank console or something iirc

[mynameisjuan]

4 minutes ago, firelighter487 said:

fair enough. i personally find CLI way faster than a GUI app for that sort of stuff but everyone has different workflows. 

I live in CLI...thats what putty is for. I avoid GUIs with a passion but putty is so simple it doesnt bother me. 

[williamcll]

I didn't even knew windows can SSH into linux without puTTy

[Ithanul]

 

12 hours ago, williamcll said:

I didn't even knew windows can SSH into linux without puTTy

Yep:  https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ssh-remoting-in-powershell-core?view=powershell-6