Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0097
Multiple vulnerabilities have been identified in Putty.
7 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Putty
Operating System: Windows
Impact/Access: Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4852
Member content until: Friday, September 6 2013
OVERVIEW
Multiple vulnerabilities have been identified in Putty prior to version
v0.63. [1]
IMPACT
The author has provided the following details regarding these
vulnerabilities:
"summary: Vulnerability: buffer underrun in modmul can corrupt the
heap
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: r571
present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61
0.62
fixed-in: r9977 2013-07-09 0.63 (0.63)
Many versions of PuTTY prior to 0.63 have a heap-corrupting buffer
underrun bug in the modmul function which performs modular
multiplication.
In order to get as many useful bits as possible out of each
division, modmul starts by shifting the modulus left so that its
highest set bit appears at the top of a machine word. To correct for
that shift in the following calculation, the last thing it does is
to shift the entire output value left by the same number of bits,
reduce it again, and shift back down. A missing bounds check can
cause it to allocate the array it uses to store that output value
with too little capacity, with the effect that the bit-shifting
process runs off the beginning of the array and corrupts data
preceding it in memory.
The corrupted data will typically consist of other values involved
in the same modular multiplication, and the heap block headers in
between them. Since the shifted data is shifted back again
immediately after the final modular reduction, this bug would be
harmless (though still wrong) except for the fact that one word at
the bottom of the data is not shifted back down. By choosing the
inputs to modmul to have appropriate lengths relative to each other,
that one unrestored word can be made to point at a heap block
header.
The modmul function is called during validation of any DSA signature
received by PuTTY, including during the initial key exchange
phase. Therefore, this bug can be exploited by a malicious server,
before the client has received and verified a host key signature. So
this attack can be performed by a man-in-the-middle between the SSH
client and server, and the normal host key protections against MITM
attacks are bypassed. Even if you trust the server you think you are
connecting to, you are not safe.
We are currently unaware of any way in which this can lead to remote
code execution or controlled memory overwriting, since the
overwritten heap block cannot be assigned an arbitrary value by the
attacker, only shifted left by a chosen number of bits. However, we
cannot be sure of that.
This bug does not affect RSA keys.
This bug was discovered by Mark Wooding." [2]
"summary: Vulnerability: negative string length in public-key
signatures can cause integer overflow and overwrite all of memory
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: r968
present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61
0.62
fixed-in: r9896 2013-07-09 0.63 (0.63)
Many versions of PuTTY prior to 0.63 have an integer overflow
vulnerability in their treatment of string length fields in public-key
signatures.
An RSA signature blob contains a multiprecision integer stored as an
SSH-2 string, i.e. with a 4-byte length field at the front. Setting
this length field to 0xFFFFFFFF (-1) is mistakenly permitted by the
signature decoding code due to a missing bounds check, and the effect
is that PuTTY allocates zero memory to store the integer in (because
it adds one to the length first) and then tries to write zeroes over
4Gb of memory starting from that location.
This bug applies to any RSA signature received by PuTTY, including
during the initial key exchange phase. Therefore, this bug can be
exploited by a malicious server, before the client has received and
verified a host key signature. So this attack can be performed by a
man-in-the-middle between the SSH client and server, and the normal
host key protections against MITM attacks are bypassed. Even if you
trust the server you think you are connecting to, you are not safe.
We are unaware of any way in which this can lead to remote code
execution, since it will typically overwrite the entire heap with
zeroes and PuTTY is expected to crash almost immediately.
This bug does not affect DSA keys.
This bug was discovered by SEARCH-LAB and documented in their advisory.
It has been assigned CVE ID CVE-2013-4852." [3]
"summary: Vulnerability: non-coprime values in DSA signatures can cause
buffer overflow in modular inverse
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: r568
present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62
fixed-in: r9996 2013-08-05 0.63 (0.63)
Many versions of PuTTY prior to 0.63 have a buffer overflow
vulnerability in the calculation of modular inverses when verifying a
DSA signature.
One step of the DSA signature verification procedure involves computing
the modular inverse of the integer s (part of the signature) with
respect to the integer q (part of the public key). If s and q have any
common factor, this modular inverse cannot exist. Of course, such a
signature is invalid (and probably the private key is invalid too),
but PuTTY will react to that situation by its bignum code overflowing
a buffer when it attempts to divide by zero during Euclid's algorithm.
This bug applies to any DSA signature received by PuTTY, including
during the initial key exchange phase. Therefore, this bug can be
exploited by a malicious server, before the client has received and
verified a host key signature. So this attack can be performed by a
man-in-the-middle between the SSH client and server, and the normal
host key protections against MITM attacks are bypassed. Even if you
trust the server you think you are connecting to, you are not safe.
We are unaware of any way in which this can lead to remote code
execution, since there is no control over the data written into the
heap.
This bug does not affect RSA keys." [4]
"summary: Private keys left in memory after being used by PuTTY tools
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: r1020
present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61
0.62
fixed-in: r9988 2013-07-14 0.63 (0.63)
When PuTTY has sensitive data in memory and has no further need for it,
it should wipe the data out of its memory, in case malware later gains
access to the PuTTY process or the memory is swapped out to disk or
written into a crash dump file. An obvious example of this is the
password typed during SSH login; other examples include obsolete
session keys, public-key passphrases, and the private halves of public
keys.
After loading an RSA key, PuTTY runs the internal routine rsa_verify()
to check that it makes sense. Every version of PuTTY since 2001, up to
and including 0.62, has a bug in which rsa_verify() fails to wipe from
memory two large integer variables containing p-1 and q-1, where p and
q are the two primes whose product is the RSA key modulus. Recovering
these from a PuTTY memory image would be sufficient to reconstruct the
private half of the RSA key; so those versions of PuTTY would
effectively store your private key in memory for as long as they were
running.
Similar problems apply to DSA keys: PuTTY fails to free the private
key component x, and also does not free the random number k that it
generates when making a DSA signature, possession of which is
sufficient to expose the private key.
This applies to every program in the PuTTY suite which loads private
keys: PuTTY, PSCP, PSFTP and Plink. If any of those programs loads a
private key directly (rather than getting a signature from an SSH agent
such as Pageant) then they will have left information equivalent to the
private key in memory for their entire run.
Pageant also had the same bug, but of course since its job is to retain
decrypted private keys in memory that isn't important in most cases.
However, if you ever told Pageant to delete a key from memory, it would
not have properly deleted it: it would still have retained a copy by
mistake due to this bug.
PuTTY 0.63 fixes this bug in all the tools: those variables are now
correctly wiped from memory.
However, it is still unavoidably very dangerous if malicious software
is in a position to read the memory of your PuTTY processes: there is
still a lot of sensitive data in there which cannot be wiped because
it's still being used, e.g. session keys. And, as mentioned above,
Pageant retains decrypted private keys in memory for long periods on
purpose if you use it. So this fix somewhat mitigates the risks of
malicious access to your PuTTY processes' memory, but no fix can
eliminate those risks completely.
The RSA part of this vulnerability was spotted by Coverity Scan." [5]
MITIGATION
The author of putty has released a patch (v0.63) that resolves these
vulnerabilities.
REFERENCES
[1] PuTTY: A Free Telnet/SSH Client
http://www.chiark.greenend.org.uk/~sgtatham/putty/
[2] PuTTY vulnerability vuln-modmul
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html
[3] PuTTY vulnerability vuln-signature-stringlen
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html
[4] PuTTY vulnerability vuln-bignum-division-by-zero
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html
[5] PuTTY vulnerability private-key-not-wiped
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUgHKtBLndAQH1ShLAQJjjg/7BIo4qmH/B0ocPO9pRb3jS0fhFvz2as4q
7bfZWhHCGG9OsQOH1anDVCYEFRWCFHJitQAtRJUb5Uyr2JvVnp0RcGxbNvbxCFFT
QbaDkosLShTA6jS9WR4eUzp95j2RrUmsJ8SSuh1JqbEjlb7hfJYzTruG6OM5VZvv
ImsOSqr8Bgz5DOMX+OxKjbH/Bk0k7kjZclebJyEWfP1Nf23j1zvz/soxOwJvd5g3
XMIUQQeWSta7XVHoO2qKyD6Yvq7Glkt/LOGe4+glugzPDbQm7rBKPDtC8TujseGj
qnishh945kgKyzc6Symj5N0Wt1NbRLH17NsCybEEFgI0LA7wpViBNPww+5prVbXN
62zDoZ3BPQLAdEs7lrNbsjJkZAGTclJZGjSRbNVFR7Y5tunqDHQS9xgO5gTlGbxy
ji3VP30+bairqb72ArEarExNtwdlA3gsEPHDz9oZYIh2+oUvi7z7QADdHb1euAJS
siTVypOOGmxwDWWSDm7lYfuqNnTc87qm9W9vH1MINomIfhbPM5THWtuUMTCrxcAF
9mS/HxltrVYwxvujdlGqrukSdlEI45ash82vGOAuW0+ZfhjV+U2ZA1LIveQat1Vl
ZtzsSoqdXtodtw5LFPiF/c+PWqrDI7x9Uk+Cn3t2gaHYxmGsIqCi3f21u7VmunU5
qyaOd56g1j8=
=oQ8a
-----END PGP SIGNATURE-----