PuTTY in your hands: SSH client gets patched after RSA key exchange memory vuln spotted

Venerable SSH client PuTTY has received a pile of security patches, with its lead maintainer admitting to the The Register that one fixed a "'game over' level vulnerability".

The fixes implemented in PuTTY over the weekend include new features plugging a plethora of vulns in the Telnet and SSH client, most of which were uncovered as part of an EU-sponsored HackerOne bug bounty.

Version 0.71 of PuTTY includes fixes for:

• A remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification
• Potential recycling of random numbers used in cryptography
• On Windows, hijacking by a malicious help file in the same directory as the executable
• On Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding
• multiple denial-of-service attacks that can be triggered by writing to the terminal

Lead maintainer and "benevolent dictator" of all things PuTTY Simon Tatham told El Reg that "of all the things found by the EU bug bounty programme, the most serious was vuln-dss-verify. That really is a 'game over' level vulnerability for a secure network protocol: a MITM attacker could bypass the SSH host key system completely."

"Luckily," he continued, "it never appeared in a released version of PuTTY: it was introduced during work to rewrite the crypto for side-channel safety, and spotted only a few weeks later by a bug-bounty participant, well before the release came out. So the EU protected almost everybody from that one."

Another one of the patched vulns was PuTTY not enforcing minimum key lengths during RSA key exchange, creating an integer overflow situation. Tatham explained that this "could be triggered by a server whose host key hasn't yet been authenticated. So you'd not only have been at risk from servers you actually trust turning out to be untrustworthy; you were also at risk from anyone who could MITM your connection to such a server, because the usual mechanism that protects you from MITM has not yet kicked in at that stage in the connection."

The other major vuln patched in v0.71 involved planting a malicious help file in the PuTTY root directory, something Tatham said wouldn't have applied to those using the regular Windows .msi installer.

Opened in January, the EU review of PuTTY paid out more than $17,500 and was funded by the EU Directorate-General for Informatics, which describes itself as "providing digital services that support other Commission departments". The bounty formed a wider part of the EU's ongoing Free and Open Software Audit, or FOSSA. ®