Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 394429 (CVE-2011-4607)

Summary: <net-misc/putty-0.62 - Wipe SSH keyboard-interactive replies from memory after authentication. (CVE-2011-4607)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2011-12-12 11:19:04 UTC 
summary: Passwords left in memory using SSH keyboard-interactive auth
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.58
present-in: 0.59 0.60 0.61
fixed-in: r9357 2011-12-08 0.62

 When PuTTY has sensitive data in memory and has no further need for it, it should wipe the data out of its memory, in case malware later gains access to the PuTTY process or the memory is swapped out to disk or written into a crash dump file. An obvious example of this is the password typed during SSH login; other examples include obsolete session keys, public-key passphrases, and the private halves of public keys. 

 PuTTY 0.59 to 0.61 inclusive had a bug in which they failed to wipe from memory the replies typed by the user during keyboard-interactive authentication. Since most modern SSH-2 servers use the keyboard-interactive method for password logins (rather than SSH-2's dedicated password method), this meant that those versions of PuTTY would store your login password in memory for as long as they were running. 

 PuTTY 0.62 fixes this bug. Keyboard-interactive responses, including passwords, are now correctly wiped from PuTTY's memory again. 

 However, it is still unavoidably very dangerous if malicious software is in a position to read the memory of your PuTTY processes: there is still a lot of sensitive data in there which cannot be wiped because it's still being used, e.g. session keys. If you're using public-key authentication and malware can read a Pageant process, that's even worse, because the decrypted private keys are stored in Pageant! This fix somewhat mitigates the risks, but no fix can eliminate them completely. 

 Audit trail[1] for this vulnerability. 


[1] http://svn.tartarus.org/sgt/putty-wishlist/data/password-not-wiped
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2011-12-12 11:20:57 UTC 
Arch teams, please test and mark stable:
=net-misc/putty-0.62
Target KEYWORDS="alpha amd64 ppc sparc x86"
Comment 2 Agostino Sarubbo gentoo-dev 2011-12-12 16:33:12 UTC 
Stable for AMD64
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2012-01-01 15:00:52 UTC 
alpha/sparc/x86 stable
Comment 4 Brent Baude (RETIRED) gentoo-dev 2012-02-01 17:09:34 UTC 
ppc done; closing as last arch
Comment 5 Agostino Sarubbo gentoo-dev 2012-02-01 17:25:27 UTC 
@security: please vote
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-02-02 02:41:31 UTC 
Thanks, everyone. GLSA Vote: yes.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 00:55:56 UTC 
Vote: NO.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-06 21:22:28 UTC 
Vote: Yes. 

Created new GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-08-21 11:58:16 UTC 
This issue was resolved and addressed in
 GLSA 201308-01 at http://security.gentoo.org/glsa/glsa-201308-01.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 16:23:16 UTC 
CVE-2011-4607 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4607):
  PuTTY 0.59 through 0.61 does not clear sensitive process memory when
  managing user replies that occur during keyboard-interactive authentication,
  which might allow local users to read login passwords by obtaining access to
  the process' memory.