Vulnerabilities > CVE-2015-5309 - Numeric Errors vulnerability in multiple products

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL

Summary

Integer overflow in the terminal emulator in PuTTY before 0.66 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via an ECH (erase characters) escape sequence with a large parameter value, which triggers a buffer underflow.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-766.NASL
    descriptionPuTTY was updated to 0.66 to fix security issues and bugs. The following vulnerabilities were fixed : - CVE-2015-5309: Malicious ECH control sequences could have caused an integer overflow, buffer underrun in terminal emulator bnc#954191 Also contains all bug fixes up to the 0.66 release.
    last seen2020-06-05
    modified2015-11-19
    plugin id86924
    published2015-11-19
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/86924
    titleopenSUSE Security Update : putty (openSUSE-2015-766)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2015-766.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(86924);
      script_version("2.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-5309");
    
      script_name(english:"openSUSE Security Update : putty (openSUSE-2015-766)");
      script_summary(english:"Check for the openSUSE-2015-766 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "PuTTY was updated to 0.66 to fix security issues and bugs.
    
    The following vulnerabilities were fixed :
    
      - CVE-2015-5309: Malicious ECH control sequences could
        have caused an integer overflow, buffer underrun in
        terminal emulator bnc#954191
    
    Also contains all bug fixes up to the 0.66 release."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=954191"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected putty packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:putty");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:putty-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:putty-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/11/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE13\.1|SUSE13\.2|SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2 / 42.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE13.1", reference:"putty-0.66-2.7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"putty-debuginfo-0.66-2.7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"putty-debugsource-0.66-2.7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"putty-0.66-4.7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"putty-debuginfo-0.66-4.7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"putty-debugsource-0.66-4.7.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"putty-0.66-6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"putty-debuginfo-0.66-6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"putty-debugsource-0.66-6.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "putty / putty-debuginfo / putty-debugsource");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-347.NASL
    descriptionIt was discovered that PuTTY
    last seen2020-03-17
    modified2015-11-30
    plugin id87068
    published2015-11-30
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/87068
    titleDebian DLA-347-1 : putty security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-347-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(87068);
      script_version("2.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2015-5309");
    
      script_name(english:"Debian DLA-347-1 : putty security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that PuTTY's terminal emulator did not properly
    validate the parameter to the ECH (erase characters) control sequence,
    allowing a denial of service and possibly remote code execution.
    
    For the oldoldstable distribution (squeeze), this problem has been
    fixed in version 0.60+2010-02-20-1+squeeze4.
    
    For the oldstable (wheezy) and stable (jessie) distributions, this
    problem will be fixed soon.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2015/11/msg00008.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/squeeze-lts/putty"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:pterm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:putty");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:putty-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:putty-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/11/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"6.0", prefix:"pterm", reference:"0.60+2010-02-20-1+squeeze4")) flag++;
    if (deb_check(release:"6.0", prefix:"putty", reference:"0.60+2010-02-20-1+squeeze4")) flag++;
    if (deb_check(release:"6.0", prefix:"putty-doc", reference:"0.60+2010-02-20-1+squeeze4")) flag++;
    if (deb_check(release:"6.0", prefix:"putty-tools", reference:"0.60+2010-02-20-1+squeeze4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3409.NASL
    descriptionA memory-corrupting integer overflow in the handling of the ECH (erase characters) control sequence was discovered in PuTTY
    last seen2020-06-01
    modified2020-06-02
    plugin id87163
    published2015-12-02
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87163
    titleDebian DSA-3409-1 : putty - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-5AD4A1F151.NASL
    descriptionThis is new version of putty. ---- This is an update fixing integer overflow and buffer underrun in erase characters (ECH) handling. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-03-04
    plugin id89247
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89247
    titleFedora 22 : putty-0.66-1.fc22 (2015-5ad4a1f151)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_0CB0AFD986B811E5BF60080027EF73EC.NASL
    descriptionBen Harris reports : Versions of PuTTY and pterm between 0.54 and 0.65 inclusive have a potentially memory-corrupting integer overflow in the handling of the ECH (erase characters) control sequence in the terminal emulator. To exploit a vulnerability in the terminal emulator, an attacker must be able to insert a carefully crafted escape sequence into the terminal stream. For a PuTTY SSH session, this must be before encryption, so the attacker likely needs access to the server you
    last seen2020-06-01
    modified2020-06-02
    plugin id86805
    published2015-11-10
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86805
    titleFreeBSD : PuTTY -- memory corruption in terminal emulator's erase character handling (0cb0afd9-86b8-11e5-bf60-080027ef73ec)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201606-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201606-01 (PuTTY: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PuTTY. Please review the CVE identifiers referenced below for details. Impact : Stack-based buffer overflow in the SCP command-line utility allows remote servers to execute arbitrary code or cause a denial of service condition via a crafted SCP-SINK file-size response to an SCP download request. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id91478
    published2016-06-06
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91478
    titleGLSA-201606-01 : PuTTY: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-3D17682C15.NASL
    descriptionThis is new version of putty. ---- This is an update fixing integer overflow and buffer underrun in erase characters (ECH) handling. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-03-04
    plugin id89220
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89220
    titleFedora 23 : putty-0.66-1.fc23 (2015-3d17682c15)