Vulnerabilities > CVE-2011-4607 - Buffer Errors vulnerability in Putty 0.59/0.60/0.61
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
PuTTY 0.59 through 0.61 does not clear sensitive process memory when managing user replies that occur during keyboard-interactive authentication, which might allow local users to read login passwords by obtaining access to the process' memory.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Windows NASL id PUTTY_062.NASL description The remote host has an installation of PuTTY between 0.59 and 0.61, inclusive. Such versions are known to contain an information disclosure issue, where PuTTY neglects to wipe passwords from memory that it no longer requires. Note that to exploit this vulnerability, a malicious, local process must have permission to access the memory assigned to the PuTTY process. last seen 2020-06-01 modified 2020-06-02 plugin id 57365 published 2011-12-21 reporter This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57365 title PuTTY Password Local Information Disclosure NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_BBD5F48624F111E195BC080027EF73EC.NASL description Simon Tatham reports : PuTTY 0.62 fixes a security issue present in 0.59, 0.60 and 0.61. If you log in using SSH-2 keyboard-interactive authentication (which is the usual method used by modern servers to request a password), the password you type was accidentally kept in PuTTY last seen 2020-06-01 modified 2020-06-02 plugin id 57144 published 2011-12-13 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57144 title FreeBSD : PuTTY -- Password vulnerability (bbd5f486-24f1-11e1-95bc-080027ef73ec) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201308-01.NASL description The remote host is affected by the vulnerability described in GLSA-201308-01 (PuTTY: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in PuTTY. Please review the CVE identifiers referenced below for details. Impact : An attacker could entice a user to open connection to specially crafted SSH server, possibly resulting in execution of arbitrary code with the privileges of the process or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 69438 published 2013-08-22 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69438 title GLSA-201308-01 : PuTTY: Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2736.NASL description Several vulnerabilities where discovered in PuTTY, a Telnet/SSH client for X. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-4206 Mark Wooding discovered a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication. As the modmul function is called during validation of any DSA signature received by PuTTY, including during the initial key exchange phase, a malicious server could exploit this vulnerability before the client has received and verified a host key signature. An attack to this vulnerability can thus be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against man-in-the-middle attacks are bypassed. - CVE-2013-4207 It was discovered that non-coprime values in DSA signatures can cause a buffer overflow in the calculation code of modular inverses when verifying a DSA signature. Such a signature is invalid. This bug however applies to any DSA signature received by PuTTY, including during the initial key exchange phase and thus it can be exploited by a malicious server before the client has received and verified a host key signature. - CVE-2013-4208 It was discovered that private keys were left in memory after being used by PuTTY tools. - CVE-2013-4852 Gergely Eberhardt from SEARCH-LAB Ltd. discovered that PuTTY is vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication due to improper bounds checking of the length parameter received from the SSH server. A remote attacker could use this vulnerability to mount a local denial of service attack by crashing the putty client. Additionally this update backports some general proactive potentially security-relevant tightening from upstream. last seen 2020-03-17 modified 2013-08-13 plugin id 69313 published 2013-08-13 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69313 title Debian DSA-2736-1 : putty - several vulnerabilities