Vulnerabilities > CVE-2013-4852 - Numeric Errors vulnerability in multiple products

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

Integer overflow in PuTTY 0.62 and earlier, WinSCP before 5.1.6, and other products that use PuTTY allows remote SSH servers to cause a denial of service (crash) and possibly execute arbitrary code in certain applications that use PuTTY via a negative size value in an RSA key signature during the SSH handshake, which triggers a heap-based buffer overflow.

Vulnerable Configurations

Part Description Count
Application
Winscp
89
Application
Putty
18
Application
Simon_Tatham
21
OS
Debian
3
OS
Opensuse
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-655.NASL
    descriptionPutty was updated to 0.63, bringing features, bug and security fixes. Changes : - Add 0001-Revert-the-default-for-font-bolding-style.patch (upstream patch fixing a cosmetic change introduced in 0.63) - Add Conflict tag against pssh package (Parallel SSH) due to conflicting files in /usr/bin - Do signature verification - update to 0.63 - Security fix: prevent a nefarious SSH server or network attacker from crashing PuTTY at startup in three different ways by presenting a maliciously constructed public key and signature. [bnc#833567] CVE-2013-4852 - Security fix: PuTTY no longer retains the private half of users
    last seen2020-06-05
    modified2014-06-13
    plugin id75124
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75124
    titleopenSUSE Security Update : putty (openSUSE-SU-2013:1355-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2013-655.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(75124);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2013-4852");
    
      script_name(english:"openSUSE Security Update : putty (openSUSE-SU-2013:1355-1)");
      script_summary(english:"Check for the openSUSE-2013-655 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Putty was updated to 0.63, bringing features, bug and security fixes.
    
    Changes :
    
      - Add 0001-Revert-the-default-for-font-bolding-style.patch
        (upstream patch fixing a cosmetic change introduced in
        0.63)
    
      - Add Conflict tag against pssh package (Parallel SSH) due
        to conflicting files in /usr/bin
    
      - Do signature verification
    
      - update to 0.63
    
      - Security fix: prevent a nefarious SSH server or network
        attacker from crashing PuTTY at startup in three
        different ways by presenting a maliciously constructed
        public key and signature. [bnc#833567] CVE-2013-4852
    
      - Security fix: PuTTY no longer retains the private half
        of users' keys in memory by mistake after authenticating
        with them.
    
      - Revamped the internal configuration storage system to
        remove all fixed arbitrary limits on string lengths. In
        particular, there should now no longer be an
        unreasonably small limit on the number of port
        forwardings PuTTY can store.
    
      - Forwarded TCP connections which close one direction
        before the other should now be reliably supported, with
        EOF propagated independently in the two directions. This
        also fixes some instances of forwarding data corruption
        (if the corruption consisted of losing data from the
        very end of the connection) and some instances of PuTTY
        failing to close when the session is over (because it
        wrongly thought a forwarding channel was still active
        when it was not).
    
      - The terminal emulation now supports xterm's bracketed
        paste mode (allowing aware applications to tell the
        difference between typed and pasted text, so that e.g.
        editors need not apply inappropriate auto-indent).
    
      - You can now choose to display bold text by both
        brightening the foreground colour and changing the font,
        not just one or the other.
    
      - PuTTYgen will now never generate a 2047-bit key when
        asked for 2048 (or more generally n−1 bits when
        asked for n).
    
      - Some updates to default settings: PuTTYgen now generates
        2048-bit keys by default (rather than 1024), and PuTTY
        defaults to UTF-8 encoding and 2000 lines of scrollback
        (rather than ISO 8859-1 and 200).
    
      - Unix: PSCP and PSFTP now preserve the Unix file
        permissions, on copies in both directions.
    
      - Unix: dead keys and compose-character sequences are now
        supported.
    
      - Unix: PuTTY and pterm now permit font fallback (where
        glyphs not present in your selected font are
        automatically filled in from other fonts on the system)
        even if you are using a server-side X11 font rather than
        a Pango client-side one.
    
      - Bug fixes too numerous to list, mostly resulting from
        running the code through Coverity Scan which spotted an
        assortment of memory and resource leaks, logic errors,
        and crashes in various circumstances. 
    
      - packaging changes :
    
      - run make from base directory
    
      - run tests
    
      - remove putty-01-werror.diff (currently not needed)
    
      - remove putty-02-remove-gtk1.diff,
        putty-05-glib-deprecated.diff,
        putty-06-gtk2-indivhdr.diff (no longer needed)
    
      - refresh putty-03-config.diff
    
      - remove autoconf calls and requirements
    
      - package HTML documentation
    
      - package LICENCE file"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=833567"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2013-08/msg00041.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected putty packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:putty");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:putty-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:putty-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/08/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE12\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE12.3", reference:"putty-0.63-2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE12.3", reference:"putty-debuginfo-0.63-2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE12.3", reference:"putty-debugsource-0.63-2.4.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "putty / putty-debuginfo / putty-debugsource");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-14706.NASL
    descriptionMerge further fixes from PuTTY to address CVE-2013-4206, CVE-2013-4207, CVE-2013-4208 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-08-20
    plugin id69392
    published2013-08-20
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/69392
    titleFedora 19 : filezilla-3.7.3-1.fc19 (2013-14706)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-14676.NASL
    descriptionThis is an update that fixes several bugs, for details see upstream announcement: http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html This is an update that fixes four CVEs: CVE-2013-4206 CVE-2013-4207 CVE-2013-4208 CVE-2013-4852 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-08-21
    plugin id69411
    published2013-08-21
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/69411
    titleFedora 18 : putty-0.63-1.fc18 (2013-14676)
  • NASL familyWindows
    NASL idPUTTY_063.NASL
    descriptionThe remote host has an installation of PuTTY version 0.52 or greater but earlier than version 0.63. As such, it is reportedly affected by the following vulnerabilities : - An overflow error exists in the function
    last seen2020-06-01
    modified2020-06-02
    plugin id69318
    published2013-08-13
    reporterThis script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/69318
    titlePuTTY 0.52 to 0.62 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-650.NASL
    descriptionFileZilla was updated to version 3.7.3 to add various features, fix bugs and also security issues in the embedded putty ssh client. Full changelog: https://filezilla-project.org/changelog.php - Noteworthy changes : - Apply a fix for a security vulnerability in PuTTY as used in FileZilla to handle SFTP. See CVE-2013-4852 for reference. - Merge further fixes from PuTTY to address CVE-2013-4206, CVE-2013-4207, CVE-2013-4208 - Version bump to 3.7.0.1 - Fix issues with bundled gnutls - Update translations - Update to version 3.7.0. Changes since 3.6.0.2 : - Show total transfer speed as tooltip over the transfer indicators - List supported protocols in tooltip of host field in quickconnect bar - Use TLS instead of the deprecated term SSL - Reworded text when saving of passwords is disabled, do not refer to kiosk mode - Improved usability of Update page in settings dialog - Improve SFTP performance - When navigating to the parent directory, highlight the former child - When editing files, use high priority for the transfers - Add label to size conditions in filter conditions dialog indicating that the unit is bytes - Ignore drag&drop operations where source and target are identical and clarify the wording in some drop error cases - Trim whitespace from the entered port numbers - Slightly darker color of inactive tabs - Ignore .. item in the file list context menus if multiple items are selected - Display TLS version and key exchange algorithm in certificate and encryption details dialog for FTP over TLS connections. - Fix handling of remote paths containing double-quotes - Fix crash when opening local directories in Explorer if the name contained characters not representable in the locale
    last seen2020-06-05
    modified2014-06-13
    plugin id75120
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75120
    titleopenSUSE Security Update : filezilla (openSUSE-SU-2013:1347-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-14656.NASL
    descriptionThis is an update that fixes many bugs, for details see upstream announcement: http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html This is an update that fixes four CVEs: CVE-2013-4206 CVE-2013-4207 CVE-2013-4208 CVE-2013-4852 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-08-21
    plugin id69410
    published2013-08-21
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/69410
    titleFedora 19 : putty-0.63-1.fc19 (2013-14656)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201308-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201308-01 (PuTTY: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in PuTTY. Please review the CVE identifiers referenced below for details. Impact : An attacker could entice a user to open connection to specially crafted SSH server, possibly resulting in execution of arbitrary code with the privileges of the process or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id69438
    published2013-08-22
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/69438
    titleGLSA-201308-01 : PuTTY: Multiple Vulnerabilities
  • NASL familyWindows
    NASL idFILEZILLA_372.NASL
    descriptionThe version of FileZilla Client on the remote host is a version prior to 3.7.2. As such, it is affected by an integer overflow vulnerability that exists in the
    last seen2020-06-01
    modified2020-06-02
    plugin id69476
    published2013-08-13
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/69476
    titleFileZilla Client < 3.7.2 SFTP Integer Overflow
  • NASL familyWindows
    NASL idWINSCP_5_1_6.NASL
    descriptionThe WinSCP program installed on the remote host is a version prior to 5.1.6. It therefore contains code from PuTTY that is affected by an integer overflow related to handling RSA signature data. This error allows a remote attacker to crash the application.
    last seen2020-06-01
    modified2020-06-02
    plugin id72388
    published2014-02-07
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/72388
    titleWinSCP < 5.1.6 RSA Signature Blob Integer Overflow
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201309-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201309-08 (FileZilla: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in FileZilla. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to connect to a malicious server, resulting in possible arbitrary code execution or a Denial of Service. Additionally, a local attacker could read sensitive memory, potentially resulting in password disclosure. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id69899
    published2013-09-15
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/69899
    titleGLSA-201309-08 : FileZilla: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-14794.NASL
    descriptionMerge further fixes from PuTTY to address CVE-2013-4206, CVE-2013-4207, CVE-2013-4208 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-09-30
    plugin id70204
    published2013-09-30
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70204
    titleFedora 18 : filezilla-3.7.3-1.fc18 (2013-14794)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_4B448A96FF7311E2B28D080027EF73EC.NASL
    descriptionSimon Tatham reports : This [0.63] release fixes multiple security holes in previous versions of PuTTY, which can allow an SSH-2 server to make PuTTY overrun or underrun buffers and crash. [...] These vulnerabilities can be triggered before host key verification, which means that you are not even safe if you trust the server you think you
    last seen2020-06-01
    modified2020-06-02
    plugin id69250
    published2013-08-08
    reporterThis script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/69250
    titleFreeBSD : PuTTY -- Four security holes in versions before 0.63 (4b448a96-ff73-11e2-b28d-080027ef73ec)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2736.NASL
    descriptionSeveral vulnerabilities where discovered in PuTTY, a Telnet/SSH client for X. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-4206 Mark Wooding discovered a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication. As the modmul function is called during validation of any DSA signature received by PuTTY, including during the initial key exchange phase, a malicious server could exploit this vulnerability before the client has received and verified a host key signature. An attack to this vulnerability can thus be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against man-in-the-middle attacks are bypassed. - CVE-2013-4207 It was discovered that non-coprime values in DSA signatures can cause a buffer overflow in the calculation code of modular inverses when verifying a DSA signature. Such a signature is invalid. This bug however applies to any DSA signature received by PuTTY, including during the initial key exchange phase and thus it can be exploited by a malicious server before the client has received and verified a host key signature. - CVE-2013-4208 It was discovered that private keys were left in memory after being used by PuTTY tools. - CVE-2013-4852 Gergely Eberhardt from SEARCH-LAB Ltd. discovered that PuTTY is vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication due to improper bounds checking of the length parameter received from the SSH server. A remote attacker could use this vulnerability to mount a local denial of service attack by crashing the putty client. Additionally this update backports some general proactive potentially security-relevant tightening from upstream.
    last seen2020-03-17
    modified2013-08-13
    plugin id69313
    published2013-08-13
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/69313
    titleDebian DSA-2736-1 : putty - several vulnerabilities

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 61599 CVE(CAN) ID: CVE-2013-4852 PuTTY是Windows和Unix平台上的PuTTYTelnet和SSH的实现,带有xterm终端模拟器。 PuTTY 0.62在处理SSH握手时,负握手消息长度可触发堆缓冲区溢出漏洞,成功后可以当前用户权限执行任意代码。要利用此漏洞需要诱使用户连接到恶意服务器。 0 Simon Tatham PuTTY 0.61 Simon Tatham PuTTY 0.60 Simon Tatham PuTTY 0.59 Simon Tatham PuTTY 0.56 Simon Tatham PuTTY 0.55 Simon Tatham PuTTY 0.54 Simon Tatham PuTTY 0.53b Simon Tatham PuTTY 0.53 Simon Tatham PuTTY 0.49 Simon Tatham PuTTY 0.48 厂商补丁: Simon Tatham ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY SVN: http://svn.tartarus.org/sgt?view=revision&amp;sortby=date&amp;revision=9896 Gergely Eberhardt: http://www.search-lab.hu/advisories/secadv-20130722
idSSV:60938
last seen2017-11-19
modified2013-08-11
published2013-08-11
reporterRoot
titlePuTTY 'getstring()'函数多个整数溢出漏洞