[arch-security] [ASA-201503-1] putty: information disclosure
Levente Polyak
anthraxx at archlinux.org
Mon Mar 2 11:23:56 UTC 2015
Arch Linux Security Advisory ASA-201503-1
=========================================
Severity: Medium
Date : 2015-03-02
CVE-ID : CVE-2015-2157
Package : putty
Type : information disclosure
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package putty before version 0.64-1 is vulnerable to information
disclosure of SSH-2 private key information.
Resolution
==========
Upgrade to 0.64-1.
# pacman -Syu "putty>=0.64-1"
The problem has been fixed upstream in version 0.64.
Workaround
==========
None.
Description
===========
When PuTTY has sensitive data in memory and has no further need for it,
it should wipe the data out of its memory, in case malware later gains
access to the PuTTY process or the memory is swapped out to disk or
written into a crash dump file. An obvious example of this is the
password typed during SSH login; other examples include obsolete session
keys, public-key passphrases, and the private halves of public keys.
After loading a private key from a disk file, PuTTY mistakenly leak a
memory buffer containing a copy of the private key, in the function
ssh2_load_userkey. The companion function ssh2_save_userkey (only called
by PuTTYgen) can also leak a copy, but only in the case where the file
it tried to save to could not be created.
This applies to SSH-2 private keys only. It affects all tools in the
PuTTY suite which load or save private keys: PuTTY, Plink, PSCP, PSFTP,
Pageant and PuTTYgen. If any of those programs loads a private key
directly (rather than getting a signature from an SSH agent such as
Pageant) then they will have left information equivalent to the private
key in memory for their entire run.
Impact
======
A local attacker is able to retrieve SSH-2 private key information from
memory after loading and saving key files to disk as a result of
inappropriate wipe.
References
==========
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2157
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150302/b026ebad/attachment.asc>
More information about the arch-security
mailing list