Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Multiple Vulnerabilities Patched in PuTTY and LibSSH2

PuTTY, an SSH and Telnet client program, and LibSSH2, a client-side C library for the SSH2 protocol, have both received updates fixing multiple vulnerabilities. Eight vulnerabilities have been fixed in version 0.71 of PuTTY, and nine vulnerabilities fixed in version 1.8.1 of LibSSH2.

PuTTY, an SSH and Telnet client program, and LibSSH2, a client-side C library for the SSH2 protocol, have both received updates fixing multiple vulnerabilities. Eight vulnerabilities have been fixed in version 0.71 of PuTTY, and nine vulnerabilities fixed in version 1.8.1 of LibSSH2.

Seven of the eight PuTTY vulnerabilities were found through the auspices of the EU-FOSSA bug bounty project being operated through HackerOne and Intigriti/Deloitte. In January 2019, the EU offered more than 850,000 in rewards for bugs found in 14 leading free software projects — of which PuTTY is one (via HackerOne). The PuTTY scheme runs from 7 January 2019 until 15 December 2019. Its total available bounty is 90,000, which is the highest single amount in the scheme.

Three of the eight PuTTY vulnerabilities allow DoS attacks against it. The three conditions are, if a CJK wide character is written to a 1-column-wide terminal; combining characters, double-width text, an odd number of terminal columns, and GTK; and if many Unicode combining characters are written to the terminal.

The fourth vulnerability is one of process rather than code. If a malicious server allows PuTTY to log in without authentication, but then sends a simulated PuTTY text, PuTTY would be prompted to send back the user’s private key phrase. It has been solved by employing new strategies to determine between genuine and fake authentication prompts rather than altering the basic code.

The fifth vulnerability is similar in that it involves tricking PuTTY into doing the wrong thing. If an attacker manages to get a file called putty.chm into the directory from which PuTTY is being run, then PuTTY would assume it is the genuine help file and feed it to htmlhelp.exe. The .chm file can be used to run separate code. This has been fixed by changing the way in which PuTTY tools find their help file.

The sixth vulnerability is a buffer overflow in Unix PuTTY if the server opens too many port forwardings. PuTTY monitors activity by putting file descriptors into a variable with no bounds-check — leaving it vulnerable to buffer overflow. Under certain conditions, this could be triggered remotely by a malicious SSH server. This has been fixed by switching all PuTTY tools to monitoring file descriptors using poll(2), which does not include the API bug.

The seventh vulnerability was the ability for PuTTY to occasionally generate repeat random numbers, caused by a one-byte buffer overflow in the random pool code. If the position index could be decreased, then previously output random numbers could be accidentally recycled. This has been solved by replacing the RNG completely with one based on Schneier and Ferguson’s “Fortuna” design.

The eighth vulnerability could result in an integer overflow due to a missing key-size check in the RSA key exchange code. If exploited — perhaps by a MITM attack, the result could be uncontrolled overwriting of memory. It has been solved by enforcing the minimum key lengths specified in RFC 4432.

Advertisement. Scroll to continue reading.

All eight of these vulnerabilities have been addressed in PuTTY version 0.71.

The changelog for LibSSH2, published Monday, lists 9 bug fixes. Four involve integer overflows, four involve out of bounds reads, and one is a zero-byte allocation. Each of the vulnerabilities has been assigned a CVE number.

CVE-2019-3855 is a possible integer overflow. A specially crafted packet could result in the overflow which could be used to allocate memory for a write out of bounds error. This has been fixed by ensuring the packet length value is within correct limits.

CVE-2019-3863 is an integer overflow. A server could send multiple keyboard interactive responses with a total length greater than unsigned max characters. The value could be used as an index to copy memory causing an out of bounds memory write error. This has been fixed by ensuring the memory index and the length of the response will fit into the buffer before copying the value and incrementing the index value.

CVE-2019-3856 is a possible integer overflow in the keyboard interactive handling. The value could be used to allocate memory causing a memory write out of bounds. It has been fixed by ensuring the keyboard prompt requests value is less than 100 before proceeding with the login process.

CVE-2019-3861 involves out-of-bounds reads caused by specially crafted packets with a padding length value greater than the packet length — which could result in a buffer read out of bounds, or a corrupted packet value. This has been fixed by ensuring the length of the packet padding is less than the packet size minus 1.

CVE-2019-3857 is an integer overflow leading to a zero-byte allocation and out-of-bounds write caused by a server sending an SSH_MSG_CHANNEL_REQUEST with an exit signal message. This is fixed by ensuring the length of the message fits UINT_MAX before allocating memory.

CVE-2019-3862 is an out-of-bounds memory comparison caused by a specially crafted SSH_MSG_CHANNEL_REQUEST packet with an exit status message and no payload. It has been fixed by ensuring the length of the packet is greater or equal to the value being compared before calling memcmp().

CVE-2019-3858 is a possible zero-byte allocation leading to an out-of-bounds read caused by a specially crafted partial SFTP packet with a zero value for the payload length. This has been fixed by ensuring the length of the payload is not zero before proceeding.

CVE-2019-3860 involves out-of-bounds reads caused by specially crafted partial SFTP packets with empty payloads in response to various SFTP commands. This has been fixed by ensuring the length of the payload is the required length before reading the packet buffer content.

CVE-2019-3859 involves possible out-of-bounds reads caused by specially crafted payloads and the unchecked use of _libssh2_packet_require and _libssh2_packet_requirev. This has been fixed by ensuring that the length of the payload is the required length before reading the packet buffer content.

All nine of the LibSSH2 vulnerabilities were discovered by Chris Coulson of Canonical Ltd (the company that manages Ubuntu), and reported on 3 December 2018. All are fixed in the latest release version 1.8.1 

Related: Hackers Using RDP Increasingly Using Network Tunneling to Bypass Protections 

Related: Libssh Vulnerability Exposes Servers to Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.