oss-sec: Re: CVE request: putty does not wipe keyboard-interactive replies from memory after authentication

oss-sec mailing list archives

Re: CVE request: putty does not wipe keyboard-interactive replies from memory after authentication

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 12 Dec 2011 13:55:41 -0700

On 12/12/2011 10:47 AM, Vincent Danen wrote:

Putty 0.59-0.61 does not wipe keyboard-interactive replies from memory
after authentication.  If malware is installed on the system and can
access arbitrary memory locations, or if the memory is swapped to disk
or written in a crash dump file, it can expose sensitive authentication
information like passwords, public-key passphrases, etc.

This is fixed upstream in 0.62.

Could a CVE be assigned to this?

References:

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html

http://svn.tartarus.org/sgt?view=rev&revision=9357
https://bugzilla.redhat.com/show_bug.cgi?id=766865
http://bugs.gentoo.org/show_bug.cgi?id=394429

Thanks.

Please use CVE-2011-4607 for this issue.

-- 

-Kurt Seifried / Red Hat Security Response Team

By Date By Thread

Current thread:

CVE request: putty does not wipe keyboard-interactive replies from memory after authentication Vincent Danen (Dec 12)
- Re: CVE request: putty does not wipe keyboard-interactive replies from memory after authentication Kurt Seifried (Dec 12)