PuTTY vulnerability vuln-dss-verify

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Vulnerability: DSA signature check bypass (development code only)
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.70 2018-12-31
present-in: 25b034ee39f557cab6e6e7b79591ef46c72cba92 2019-01-01
fixed-in: 8957e613bc1c2574a6ab1190244ae2b4868831ed 2019-02-11 (0.71)

Some development snapshot versions of PuTTY have a vulnerability allowing a man-in-the-middle attacker to compromise (view and modify) SSH sessions, silently in some circumstances. No release version of PuTTY is affected by this bug, including 0.70. Only development snapshot builds from us dated 2019, before 2019-02-11, are affected.

The bug affects DSA signature checking; in vulnerable versions, there is a fixed signature that an attacker can present which will always pass a signature check regardless of anything else. (See the Fixed-in commit message for the precise details.) Other signature algorithms (including ECDSA and Ed25519) are not affected.

The main impact of this is on the use of DSA ("ssh-dss") format host keys. The precise effect of this depends on the existing contents of the client's host key cache.

If your PuTTY installation has no DSA host keys cached (on Windows you can check this by inspecting the Registry), and you're sure you haven't been prompted for one while using a vulnerable snapshot of PuTTY, then you are probably fine. (To reiterate: if you have only used released versions of PuTTY, then you are definitely fine.)

If the client (or user) insists on public-key user authentication (even with a DSA user key), this vulnerability is somewhat mitigated; the man-in-the-middle cannot gain access to the server (as they don't have access to the user's private key), although they can still pretend to be the server to the user using any prior knowledge of the server they may have.

This vulnerability was found by Filipe Casal, as part of a bug bounty programme run under the auspices of the EU-FOSSA project. Since it only affected pre-release code, we disclosed the fix immediately.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2019-02-15 19:29:06 +0000)