PuTTY vulnerability vuln-passwd-memdump

PuTTY vulnerability vuln-passwd-memdump

This is a mirror. The primary PuTTY web site can be found here.

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: Failure to scrub SSH-2 password from memory after use
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.53b
fixed-in: 2003-01-10 (0.54) (0.55) (0.56) (0.57) (0.58) (0.59) (0.60)

As reported in iDEFENSE Security Advisory 01.28.03, PuTTY 0.53b fails to scrub the password from a memory buffer after authentication, making it trivially easy for an attacker with access to a memory dump to recover the password. (This only applies when using SSH-2.)

This is fixed in the nightly development snapshots as of 2003-01-10, and will be fixed in the next stable release.

This vulnerability corresponds to CVE CAN-2003-0048 .

Audit trail for this vulnerability.

If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2004-11-16 15:27:00 +0000)