PuTTY, an SSH and Telnet client program, and LibSSH2, a client-side C library for the SSH2 protocol, have both received updates fixing multiple vulnerabilities. Eight vulnerabilities have been fixed in version 0.71 of PuTTY, and nine vulnerabilities fixed in version 1.8.1 of LibSSH2.
Seven of the eight PuTTY vulnerabilities were found through the auspices of the EU-FOSSA bug bounty project being operated through HackerOne and Intigriti/Deloitte. In January 2019, the EU offered more than €850,000 in rewards for bugs found in 14 leading free software projects — of which PuTTY is one (via HackerOne). The PuTTY scheme runs from 7 January 2019 until 15 December 2019. Its total available bounty is €90,000, which is the highest single amount in the scheme.
Three of the eight PuTTY vulnerabilities allow DoS attacks against it. The three conditions are, if a CJK wide character is written to a 1-column-wide terminal; combining characters, double-width text, an odd number of terminal columns, and GTK; and if many Unicode combining characters are written to the terminal.
The fourth vulnerability is one of process rather than code. If a malicious server allows PuTTY to log in without authentication, but then sends a simulated PuTTY text, PuTTY would be prompted to send back the user’s private key phrase. It has been solved by employing new strategies to determine between genuine and fake authentication prompts rather than altering the basic code.
The fifth vulnerability is similar in that it involves tricking PuTTY into doing the wrong thing. If an attacker manages to get a file called putty.chm into the directory from which PuTTY is being run, then PuTTY would assume it is the genuine help file and feed it to htmlhelp.exe. The .chm file can be used to run separate code. This has been fixed by changing the way in which PuTTY tools find their help file.
The sixth vulnerability is a buffer overflow in Unix PuTTY if the server opens too many port forwardings. PuTTY monitors activity by putting file descriptors into a variable with no bounds-check — leaving it vulnerable to buffer overflow. Under certain conditions, this could be triggered remotely by a malicious SSH server. This has been fixed by switching all PuTTY tools to monitoring file descriptors using poll(2), which does not include the API bug.
The seventh vulnerability was the ability for PuTTY to occasionally generate repeat random numbers, caused by a one-byte buffer overflow in the random pool code. If the position index could be decreased, then previously output random numbers could be accidentally recycled. This has been solved by replacing the RNG completely with one based on Schneier and Ferguson’s “Fortuna” design.
The eighth vulnerability could result in an integer overflow due to a missing key-size check in the RSA key exchange code. If exploited — perhaps by a MITM attack, the result could be uncontrolled overwriting of memory. It has been solved by enforcing the minimum key lengths specified in RFC 4432.
All eight of these vulnerabilities have been addressed in PuTTY version 0.71.
The changelog for LibSSH2, published Monday, lists 9 bug fixes. Four involve integer overflows, four involve out of bounds reads, and one is a zero-byte allocation. Each of the vulnerabilities has been assigned a CVE number.
CVE-2019-3855 is a possible integer overflow. A specially crafted packet could result in the overflow which could be used to allocate memory for a write out of bounds error. This has been fixed by ensuring the packet length value is within correct limits.
CVE-2019-3863 is an integer overflow. A server could send multiple keyboard interactive responses with a total length greater than unsigned max characters. The value could be used as an index to copy memory causing an out of bounds memory write error. This has been fixed by ensuring the memory index and the length of the response will fit into the buffer before copying the value and incrementing the index value.
CVE-2019-3856 is a possible integer overflow in the keyboard interactive handling. The value could be used to allocate memory causing a memory write out of bounds. It has been fixed by ensuring the keyboard prompt requests value is less than 100 before proceeding with the login process.
CVE-2019-3861 involves out-of-bounds reads caused by specially crafted packets with a padding length value greater than the packet length — which could result in a buffer read out of bounds, or a corrupted packet value. This has been fixed by ensuring the length of the packet padding is less than the packet size minus 1.
CVE-2019-3857 is an integer overflow leading to a zero-byte allocation and out-of-bounds write caused by a server sending an SSH_MSG_CHANNEL_REQUEST with an exit signal message. This is fixed by ensuring the length of the message fits UINT_MAX before allocating memory.
CVE-2019-3862 is an out-of-bounds memory comparison caused by a specially crafted SSH_MSG_CHANNEL_REQUEST packet with an exit status message and no payload. It has been fixed by ensuring the length of the packet is greater or equal to the value being compared before calling memcmp().
CVE-2019-3858 is a possible zero-byte allocation leading to an out-of-bounds read caused by a specially crafted partial SFTP packet with a zero value for the payload length. This has been fixed by ensuring the length of the payload is not zero before proceeding.
CVE-2019-3860 involves out-of-bounds reads caused by specially crafted partial SFTP packets with empty payloads in response to various SFTP commands. This has been fixed by ensuring the length of the payload is the required length before reading the packet buffer content.
CVE-2019-3859 involves possible out-of-bounds reads caused by specially crafted payloads and the unchecked use of _libssh2_packet_require and _libssh2_packet_requirev. This has been fixed by ensuring that the length of the payload is the required length before reading the packet buffer content.
All nine of the LibSSH2 vulnerabilities were discovered by Chris Coulson of Canonical Ltd (the company that manages Ubuntu), and reported on 3 December 2018. All are fixed in the latest release version 1.8.1