Vulnerabilities > CVE-2015-5309 - Numeric Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Integer overflow in the terminal emulator in PuTTY before 0.66 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via an ECH (erase characters) escape sequence with a large parameter value, which triggers a buffer underflow.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-766.NASL description PuTTY was updated to 0.66 to fix security issues and bugs. The following vulnerabilities were fixed : - CVE-2015-5309: Malicious ECH control sequences could have caused an integer overflow, buffer underrun in terminal emulator bnc#954191 Also contains all bug fixes up to the 0.66 release. last seen 2020-06-05 modified 2015-11-19 plugin id 86924 published 2015-11-19 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86924 title openSUSE Security Update : putty (openSUSE-2015-766) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2015-766. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(86924); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-5309"); script_name(english:"openSUSE Security Update : putty (openSUSE-2015-766)"); script_summary(english:"Check for the openSUSE-2015-766 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "PuTTY was updated to 0.66 to fix security issues and bugs. The following vulnerabilities were fixed : - CVE-2015-5309: Malicious ECH control sequences could have caused an integer overflow, buffer underrun in terminal emulator bnc#954191 Also contains all bug fixes up to the 0.66 release." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=954191" ); script_set_attribute( attribute:"solution", value:"Update the affected putty packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:putty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:putty-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:putty-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"patch_publication_date", value:"2015/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.1|SUSE13\.2|SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2 / 42.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.1", reference:"putty-0.66-2.7.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"putty-debuginfo-0.66-2.7.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"putty-debugsource-0.66-2.7.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"putty-0.66-4.7.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"putty-debuginfo-0.66-4.7.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"putty-debugsource-0.66-4.7.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"putty-0.66-6.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"putty-debuginfo-0.66-6.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"putty-debugsource-0.66-6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "putty / putty-debuginfo / putty-debugsource"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-347.NASL description It was discovered that PuTTY last seen 2020-03-17 modified 2015-11-30 plugin id 87068 published 2015-11-30 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/87068 title Debian DLA-347-1 : putty security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-347-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(87068); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2015-5309"); script_name(english:"Debian DLA-347-1 : putty security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that PuTTY's terminal emulator did not properly validate the parameter to the ECH (erase characters) control sequence, allowing a denial of service and possibly remote code execution. For the oldoldstable distribution (squeeze), this problem has been fixed in version 0.60+2010-02-20-1+squeeze4. For the oldstable (wheezy) and stable (jessie) distributions, this problem will be fixed soon. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2015/11/msg00008.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/putty" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:pterm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:putty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:putty-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:putty-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/11/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"pterm", reference:"0.60+2010-02-20-1+squeeze4")) flag++; if (deb_check(release:"6.0", prefix:"putty", reference:"0.60+2010-02-20-1+squeeze4")) flag++; if (deb_check(release:"6.0", prefix:"putty-doc", reference:"0.60+2010-02-20-1+squeeze4")) flag++; if (deb_check(release:"6.0", prefix:"putty-tools", reference:"0.60+2010-02-20-1+squeeze4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3409.NASL description A memory-corrupting integer overflow in the handling of the ECH (erase characters) control sequence was discovered in PuTTY last seen 2020-06-01 modified 2020-06-02 plugin id 87163 published 2015-12-02 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87163 title Debian DSA-3409-1 : putty - security update NASL family Fedora Local Security Checks NASL id FEDORA_2015-5AD4A1F151.NASL description This is new version of putty. ---- This is an update fixing integer overflow and buffer underrun in erase characters (ECH) handling. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-04 plugin id 89247 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89247 title Fedora 22 : putty-0.66-1.fc22 (2015-5ad4a1f151) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_0CB0AFD986B811E5BF60080027EF73EC.NASL description Ben Harris reports : Versions of PuTTY and pterm between 0.54 and 0.65 inclusive have a potentially memory-corrupting integer overflow in the handling of the ECH (erase characters) control sequence in the terminal emulator. To exploit a vulnerability in the terminal emulator, an attacker must be able to insert a carefully crafted escape sequence into the terminal stream. For a PuTTY SSH session, this must be before encryption, so the attacker likely needs access to the server you last seen 2020-06-01 modified 2020-06-02 plugin id 86805 published 2015-11-10 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86805 title FreeBSD : PuTTY -- memory corruption in terminal emulator's erase character handling (0cb0afd9-86b8-11e5-bf60-080027ef73ec) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201606-01.NASL description The remote host is affected by the vulnerability described in GLSA-201606-01 (PuTTY: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PuTTY. Please review the CVE identifiers referenced below for details. Impact : Stack-based buffer overflow in the SCP command-line utility allows remote servers to execute arbitrary code or cause a denial of service condition via a crafted SCP-SINK file-size response to an SCP download request. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 91478 published 2016-06-06 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91478 title GLSA-201606-01 : PuTTY: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2015-3D17682C15.NASL description This is new version of putty. ---- This is an update fixing integer overflow and buffer underrun in erase characters (ECH) handling. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-04 plugin id 89220 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89220 title Fedora 23 : putty-0.66-1.fc23 (2015-3d17682c15)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173021.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173094.html
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00099.html
- http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html
- http://www.debian.org/security/2015/dsa-3409
- http://www.securitytracker.com/id/1034308
- https://security.gentoo.org/glsa/201606-01