Office of the Chief Information Officer

V-213: PuTTY SSH Handshake Integer Overflow Vulnerabilities

August 7, 2013

You are here

PROBLEM:

SEARCH-LAB has reported some vulnerabilities in PuTTY

PLATFORM:

PuTTY 0.x

ABSTRACT:

The vulnerabilities can be exploited by malicious people to potentially compromise a user's system.

REFERENCE LINKS:

Secunia Advisory SA54354
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3520
CVE-2013-4206
CVE-2013-4207
CVE-2013-4208
CVE-2013-4852

IMPACT ASSESSMENT:

Medium

DISCUSSION:

The vulnerabilities are caused due to some integer overflow errors when handling the SSH handshake and can be exploited to cause heap-based buffer overflows via a negative handshake message length.

IMPACT:

Successful exploitation of may allow execution of arbitrary code

SOLUTION:

Fixed in the source code repository

 

JC3 Contact:

Voice:Hotline at 1-866-941-2472

World Wide Web: http://energy.gov/cio/services/incident-management

E-mail: circ@jc3.doe.gov

JC3 services are available to JC3-Joint Cybersecurity Coordination Center, and JC3 Contractors.