PuTTY fails to clear private key information from memory

2015.03.02
Risk: Low
Local: Yes
Remote: No
CWE: CWE-200


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

PuTTY suite versions 0.51 to 0.63 fail to clear SSH-2 private key information from memory when loading and saving key files to disk, leading to potential disclosure. The issue affects keys stored on disk in encrypted and unencrypted form, and is present in PuTTY, Plink, PSCP, PSFTP, Pageant and PuTTYgen. The maintainers have provided details at [1], and have promptly patched the vulnerability in version 0.64 [2]. Can a CVE please be assigned for this issue? -Patrick 1. http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html 2. http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

References:

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top