September 23, 2014

New PuTTY Release Fixes Password-not-wiped Vulnerability

(LiveHacking.Com) – Simon Tatham has released a new version of PuTTY, the ubiquitous SSH client for Windows, that fixes a bug that left passwords in active memory. Since PuTTY needs to authenticate with remotes servers using passwords or private/public keys and that it needs to store sessions keys etc in memory while running, it is important that any information that is no longer needed be wiped from memory.

The reason for this is that it is feasible that malware could gain access to PuTTY’s memory or read any parts of the memory swapped to disk or any memory written to a crash dump. Accessing this memory could then lead to password discovery.

Although this scenario isn’t 100% avoidable (as PuTTY needs to keep some sensitive information on hand), the risks can be reduced as much as possible. PuTTY 0.59, 0.60 and 0.61 contained a bug in which the password entered was not wiped from memory, even though it was no longer needed.

Since most modern SSH-2 servers use the keyboard-interactive method for password logins (rather than SSH-2’s dedicated password method), this meant that those versions of PuTTY would store your login password in memory for as long as they were running.

Other bugs squashed in 0.62 include:

  • Pageant 0.61 would not accept connections from PuTTY 0.60 and earlier, or from other software (such as WinSCP) that used 0.60’s method of talking to Pageant. Pageant 0.62 accepts connections from both types of client.
  • If PuTTY 0.61 attempted GSSAPI authentication and failed, it printed a spurious and confusing ‘Access denied’ message in the terminal window, even though it was still possible to log in by other means.
  • If PSCP or PSFTP 0.61 was told to load a saved session which specifies SSH on a port other than 22, they would wrongly try to connect to port 22 instead of the specified port.
  • Pageant 0.61 leaked a file mapping handle every time it received a message with the wrong authentication.
  • PuTTYtel 0.61 crashed with an assertion failure message when saving a session.
  • PuTTY 0.61 could display underlined text with the underlines in the wrong place, to the right of the characters they should have been under.
  • PuTTY 0.61 could display VT100 line-drawing characters at the wrong vertical offset if they appeared next to the offset horizontal line characters.

Pre-built binaries, and the source code, are now available from the PuTTY website at http://www.chiark.greenend.org.uk/~sgtatham/putty/