Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0097 Multiple vulnerabilities have been identified in Putty. 7 August 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Putty Operating System: Windows Impact/Access: Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2013-4852 Member content until: Friday, September 6 2013 OVERVIEW Multiple vulnerabilities have been identified in Putty prior to version v0.63. [1] IMPACT The author has provided the following details regarding these vulnerabilities: "summary: Vulnerability: buffer underrun in modmul can corrupt the heap class: vulnerability: This is a security vulnerability. difficulty: fun: Just needs tuits, and not many of them. priority: high: This should be fixed in the next release. absent-in: r571 present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62 fixed-in: r9977 2013-07-09 0.63 (0.63) Many versions of PuTTY prior to 0.63 have a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication. In order to get as many useful bits as possible out of each division, modmul starts by shifting the modulus left so that its highest set bit appears at the top of a machine word. To correct for that shift in the following calculation, the last thing it does is to shift the entire output value left by the same number of bits, reduce it again, and shift back down. A missing bounds check can cause it to allocate the array it uses to store that output value with too little capacity, with the effect that the bit-shifting process runs off the beginning of the array and corrupts data preceding it in memory. The corrupted data will typically consist of other values involved in the same modular multiplication, and the heap block headers in between them. Since the shifted data is shifted back again immediately after the final modular reduction, this bug would be harmless (though still wrong) except for the fact that one word at the bottom of the data is not shifted back down. By choosing the inputs to modmul to have appropriate lengths relative to each other, that one unrestored word can be made to point at a heap block header. The modmul function is called during validation of any DSA signature received by PuTTY, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe. We are currently unaware of any way in which this can lead to remote code execution or controlled memory overwriting, since the overwritten heap block cannot be assigned an arbitrary value by the attacker, only shifted left by a chosen number of bits. However, we cannot be sure of that. This bug does not affect RSA keys. This bug was discovered by Mark Wooding." [2] "summary: Vulnerability: negative string length in public-key signatures can cause integer overflow and overwrite all of memory class: vulnerability: This is a security vulnerability. difficulty: fun: Just needs tuits, and not many of them. priority: high: This should be fixed in the next release. absent-in: r968 present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62 fixed-in: r9896 2013-07-09 0.63 (0.63) Many versions of PuTTY prior to 0.63 have an integer overflow vulnerability in their treatment of string length fields in public-key signatures. An RSA signature blob contains a multiprecision integer stored as an SSH-2 string, i.e. with a 4-byte length field at the front. Setting this length field to 0xFFFFFFFF (-1) is mistakenly permitted by the signature decoding code due to a missing bounds check, and the effect is that PuTTY allocates zero memory to store the integer in (because it adds one to the length first) and then tries to write zeroes over 4Gb of memory starting from that location. This bug applies to any RSA signature received by PuTTY, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe. We are unaware of any way in which this can lead to remote code execution, since it will typically overwrite the entire heap with zeroes and PuTTY is expected to crash almost immediately. This bug does not affect DSA keys. This bug was discovered by SEARCH-LAB and documented in their advisory. It has been assigned CVE ID CVE-2013-4852." [3] "summary: Vulnerability: non-coprime values in DSA signatures can cause buffer overflow in modular inverse class: vulnerability: This is a security vulnerability. difficulty: fun: Just needs tuits, and not many of them. priority: high: This should be fixed in the next release. absent-in: r568 present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62 fixed-in: r9996 2013-08-05 0.63 (0.63) Many versions of PuTTY prior to 0.63 have a buffer overflow vulnerability in the calculation of modular inverses when verifying a DSA signature. One step of the DSA signature verification procedure involves computing the modular inverse of the integer s (part of the signature) with respect to the integer q (part of the public key). If s and q have any common factor, this modular inverse cannot exist. Of course, such a signature is invalid (and probably the private key is invalid too), but PuTTY will react to that situation by its bignum code overflowing a buffer when it attempts to divide by zero during Euclid's algorithm. This bug applies to any DSA signature received by PuTTY, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe. We are unaware of any way in which this can lead to remote code execution, since there is no control over the data written into the heap. This bug does not affect RSA keys." [4] "summary: Private keys left in memory after being used by PuTTY tools class: vulnerability: This is a security vulnerability. difficulty: fun: Just needs tuits, and not many of them. priority: high: This should be fixed in the next release. absent-in: r1020 present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62 fixed-in: r9988 2013-07-14 0.63 (0.63) When PuTTY has sensitive data in memory and has no further need for it, it should wipe the data out of its memory, in case malware later gains access to the PuTTY process or the memory is swapped out to disk or written into a crash dump file. An obvious example of this is the password typed during SSH login; other examples include obsolete session keys, public-key passphrases, and the private halves of public keys. After loading an RSA key, PuTTY runs the internal routine rsa_verify() to check that it makes sense. Every version of PuTTY since 2001, up to and including 0.62, has a bug in which rsa_verify() fails to wipe from memory two large integer variables containing p-1 and q-1, where p and q are the two primes whose product is the RSA key modulus. Recovering these from a PuTTY memory image would be sufficient to reconstruct the private half of the RSA key; so those versions of PuTTY would effectively store your private key in memory for as long as they were running. Similar problems apply to DSA keys: PuTTY fails to free the private key component x, and also does not free the random number k that it generates when making a DSA signature, possession of which is sufficient to expose the private key. This applies to every program in the PuTTY suite which loads private keys: PuTTY, PSCP, PSFTP and Plink. If any of those programs loads a private key directly (rather than getting a signature from an SSH agent such as Pageant) then they will have left information equivalent to the private key in memory for their entire run. Pageant also had the same bug, but of course since its job is to retain decrypted private keys in memory that isn't important in most cases. However, if you ever told Pageant to delete a key from memory, it would not have properly deleted it: it would still have retained a copy by mistake due to this bug. PuTTY 0.63 fixes this bug in all the tools: those variables are now correctly wiped from memory. However, it is still unavoidably very dangerous if malicious software is in a position to read the memory of your PuTTY processes: there is still a lot of sensitive data in there which cannot be wiped because it's still being used, e.g. session keys. And, as mentioned above, Pageant retains decrypted private keys in memory for long periods on purpose if you use it. So this fix somewhat mitigates the risks of malicious access to your PuTTY processes' memory, but no fix can eliminate those risks completely. The RSA part of this vulnerability was spotted by Coverity Scan." [5] MITIGATION The author of putty has released a patch (v0.63) that resolves these vulnerabilities. REFERENCES [1] PuTTY: A Free Telnet/SSH Client http://www.chiark.greenend.org.uk/~sgtatham/putty/ [2] PuTTY vulnerability vuln-modmul http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html [3] PuTTY vulnerability vuln-signature-stringlen http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html [4] PuTTY vulnerability vuln-bignum-division-by-zero http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html [5] PuTTY vulnerability private-key-not-wiped http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUgHKtBLndAQH1ShLAQJjjg/7BIo4qmH/B0ocPO9pRb3jS0fhFvz2as4q 7bfZWhHCGG9OsQOH1anDVCYEFRWCFHJitQAtRJUb5Uyr2JvVnp0RcGxbNvbxCFFT QbaDkosLShTA6jS9WR4eUzp95j2RrUmsJ8SSuh1JqbEjlb7hfJYzTruG6OM5VZvv ImsOSqr8Bgz5DOMX+OxKjbH/Bk0k7kjZclebJyEWfP1Nf23j1zvz/soxOwJvd5g3 XMIUQQeWSta7XVHoO2qKyD6Yvq7Glkt/LOGe4+glugzPDbQm7rBKPDtC8TujseGj qnishh945kgKyzc6Symj5N0Wt1NbRLH17NsCybEEFgI0LA7wpViBNPww+5prVbXN 62zDoZ3BPQLAdEs7lrNbsjJkZAGTclJZGjSRbNVFR7Y5tunqDHQS9xgO5gTlGbxy ji3VP30+bairqb72ArEarExNtwdlA3gsEPHDz9oZYIh2+oUvi7z7QADdHb1euAJS siTVypOOGmxwDWWSDm7lYfuqNnTc87qm9W9vH1MINomIfhbPM5THWtuUMTCrxcAF 9mS/HxltrVYwxvujdlGqrukSdlEI45ash82vGOAuW0+ZfhjV+U2ZA1LIveQat1Vl ZtzsSoqdXtodtw5LFPiF/c+PWqrDI7x9Uk+Cn3t2gaHYxmGsIqCi3f21u7VmunU5 qyaOd56g1j8= =oQ8a -----END PGP SIGNATURE-----