PuTTY vulnerability vuln-rsa-kex-integer-overflow

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Integer overflow due to missing key-size check in RSA key exchange code
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.60
fixed-in: d82854999516046122501b2e145099740ed0284f 0.71

Up to and including version 0.70, PuTTY's implementation of RSA key exchange (RFC 4432) failed to enforce that the RSA key sent by the server was of at least the length required by the specification (1024 or 2048 bits, for the two specified methods).

In particular, the server could send an RSA key so short that when PuTTY computed the number of bits (KLEN) in the secret integer K it will encrypt with that key, the number of bits would come out negative. This led to an integer overflow and uncontrolled overwriting of memory.

We don't know if this can be exploited to gain control over the client. But because it occurs during key exchange, and therefore it happens before host key checking, the overflow can be induced by a MITM attack even if the MITM does not know the correct host key. So even if you trust the server you think you are connecting to, you are not safe.

As of 0.71, PuTTY now enforces the minimum key lengths specified in RFC 4432, which ensures that KLEN is always positive.

This vulnerability was found by Filipe Casal, as part of a bug bounty programme run under the auspices of the EU-FOSSA project. It has been assigned CVE ID CVE-2019-9894.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2022-09-11 23:46:37 +0100)