Home page logo

oss-sec logo oss-sec mailing list archives

CVE request: putty does not wipe keyboard-interactive replies from memory after authentication
From: Vincent Danen <vdanen () redhat com>
Date: Mon, 12 Dec 2011 10:47:06 -0700

Putty 0.59-0.61 does not wipe keyboard-interactive replies from memory
after authentication.  If malware is installed on the system and can
access arbitrary memory locations, or if the memory is swapped to disk
or written in a crash dump file, it can expose sensitive authentication
information like passwords, public-key passphrases, etc.

This is fixed upstream in 0.62.

Could a CVE be assigned to this?




Vincent Danen / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]