Download: Stable · Pre-release · Snapshot | Docs | Changes | Wishlist
Up to and including version 0.70, PuTTY's implementation of RSA key exchange (RFC 4432) failed to enforce that the RSA key sent by the server was of at least the length required by the specification (1024 or 2048 bits, for the two specified methods).
In particular, the server could send an RSA key so short that when PuTTY
computed the number of bits (
KLEN) in the secret integer
K it will encrypt with that key, the number of bits would
come out negative. This led to an integer overflow and uncontrolled
overwriting of memory.
We don't know if this can be exploited to gain control over the client. But because it occurs during key exchange, and therefore it happens before host key checking, the overflow can be induced by a MITM attack even if the MITM does not know the correct host key. So even if you trust the server you think you are connecting to, you are not safe.
As of 0.71, PuTTY now enforces the minimum key lengths specified in
RFC 4432, which ensures that
KLEN is always positive.
This vulnerability was found by Filipe Casal, as part of a bug bounty programme run under the auspices of the EU-FOSSA project. It has been assigned CVE ID CVE-2019-9894.