Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Security Hole In PuTTY

Posted by timothy on from the and-now-it's-fixed dept.

Tim 'gk^' Nilimaa writes "A serious security hole has been found in PuTY, version 0.54 and before. Simon Tatham and his fellows released PuTTY 0.55 on 2004-08-03 which solves this bug. The bug may allow servers to use PuTTY to act as a machine that you trust, even beforce you verify the hosts key while connecting using SSH2. An attack could be a fact before you know that you have connected to the wrong machine. I (and they) say: upgrade to PuTTY 0.55 - now."

3 of 72 comments (clear)

  1. Nice response time by curtisk · · Score: 4, Insightful

    I've used Putty now and again, but I know alot of others that do use it on a daily basis...so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated

    --

    Sehr geehrter Toilettenbenutzer!

  2. Re:This is a tough one to classify by gmhowell · · Score: 2, Insightful

    It is for the former reason that it should be front page. IMNSHO.

    Instead, we have 'Microsoft will try blogging service in Japan', ' ESA To Study Human Hibernation', and 'DEFCON WiFi Shootout Winners Set A Land Record'.

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon
  3. Re:Seriously though by menscher · · Score: 2, Insightful
    Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

    First off, I'm a sysadmin, and I save my hostkeys when I upgrade.

    Secondly, my client machines have the server key, so user passwords are not required.

    Third, I usually check into the reason. If possible, I log in to a place I would have connected from before. There's only 2-3 machines I regularly log into from random places, and I have their bubble-babble digests memorized. And if I have no other choice, I connect and then immediately do the "ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub" to verify the key matches. If it doesn't, then I would know I'd been caught by a MITM attack. I could immediately su and lock my account and the su account I used to lock myself out (leaving only root).

    Are these practical steps? YES! Trust me... there were attempted MITM attacks at Defcon this year. That is one place I would NOT accept an unknown hostkey.