PuTTY vulnerability vuln-ecdsa-newkey

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Vulnerability: use of uninitialised pointer loading ECDSA keys
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.65 0.66 0.67 7d1c30cd50ce18b8ad9c5970d7f917406d706ae0 2014-11-01
present-in: 2bf868835591b39f17a157b1511b1e2f4b6e77da 2014-11-02
fixed-in: 63b47ed9d504b37ac2e903715ae7bf40036473a1 2015-11-08

Some development snapshots of PuTTY, when presented with an invalid ECDSA key, will zero unrelated memory.

(Since this vulnerability is in the as-yet-unreleased ECDSA implementation, no released version of PuTTY is affected.)

The ecdsa_newkey function is the part of PuTTY that converts ECDSA public keys from SSH-2 wire format into a format that can be used internally. If this conversion fails part-way through, PuTTY attempts to erase the memory holding the part-constructed internal key. One of the fields of the internal format is not initialised to NULL before the first possible failure point, so PuTTY can end up erasing memory unrelated to the key being loaded. It's possible that this could be exploited to cause PuTTY to erase something important.

The ecdsa_newkey function is called whenever PuTTY receives an ECDSA host key from an SSH-2 server, including during initial key exchange. This means that an attack could be mounted by a man in the middle before PuTTY has validated the host key.

This is a particular problem because in an SSH-2 connection, PuTTY converts the server-presented host key into internal format before checking that it's the correct host key, so a man in the middle could cause trouble even if the user is connecting to a trustworthy server.

This bug was found with the help of American Fuzzy Lop.

If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2016-03-26 19:05:12 +0000)