Vulnerability in PuTTY

[jason]

Just got this through the NTBugTraq mailing list.

Title: Vulnerabilities in PuTTY and PSCP

*Vulnerability Description:*

PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator.

PuTTY and PSCP are client applications used by network and security administrators to login securily to networked server systems.

We have found that by sending specially crafted packets to the client during the authentication process, an attacker is able to compromise and execute arbitrary code on the machine running PuTTY or PSCP.

In SSH2, an attacker impersonating a trusted host can launch an attack before the client has the ability to determine the difference between the trusted and fake host. This attack is performed before host key verification.

*Vulnerable Packages:*

PuTTY 0.54 and previous versions are vulnerable.


*Solution/Vendor Information/Workaround:*

PuTTY 0.55 fixes these vulnerabilities. It is available at: http://www.chiark.greenend.org.uk/~s.../download.html

PuTTY maintainers recommend that everybody upgrade to 0.55 as soon as possible.

The full advisory can be viewed at http://www.coresecurity.com/common/s...&idxseccion=10
if anyone's interested.

Also keep in mind that programs that make use of the PuTTY engine (such as WinSCP) may also be vulnerable.

--Jason

[jason]

Just to confirm, there is an upgrade for WinSCP that uses the new PuTTY core. Be sure to upgrae that, too.

--Jason

[Connie]

Hi Jason,

Thanks for the update. I meant to say something shortly after you posted this. Then got involved in other stuff.

I don't use putty but I downloaded the WinSCP update. The update solved another problem I was having after the previous update.

Really surprised that you caught the WinSCP update rather than Vin. He is the WinSCP champion so to speak.

[jason]

Connie,

The only reason I noticed is because there was an email sent out by someone on our support staff at work warning of the PuTTY vulnerability. Knowing that many people here use PuTTY (and its derivitives), I figured I'd pass the warning on. When I did my own upgrade I decided to check out WinSCP since I know that is based on PuTTY, and sure enough, there was an update for that as well.

--Jason

[Vin DSL]

Yep, I should have mentioned that upgrade, but jason beat me to it...

I've been moving programs to my striped SATA drives, as I upgrade them, and WoW, what a difference!

One thing I wanted to mention - yes, WinSCP is built on PuTTY, but not only that - you can use PuTTY from a window inside WinSCP, so it's kind of a circular thing, if you know what I mean.

[Vin DSL]

While we're talking about upgrades, I don't know if anyone on JagPC, but me, runs the Kiwi Syslog Daemon. Most of the ppl here don't even know what a 'system log' is. In case you do, they just came out with a new 'stable' (non-beta) version - 7.1.4.

http://www.kiwisyslog.com/

Been using it for a couple of years. Highly recommended!