Serious Security Hole In PuTTY

← Back to Stories (view on slashdot.org)

Serious Security Hole In PuTTY

Posted by timothy on Wednesday August 4, 2004 @12:37AM from the and-now-it's-fixed dept.

Tim 'gk^' Nilimaa writes "A serious security hole has been found in PuTY, version 0.54 and before. Simon Tatham and his fellows released PuTTY 0.55 on 2004-08-03 which solves this bug. The bug may allow servers to use PuTTY to act as a machine that you trust, even beforce you verify the hosts key while connecting using SSH2. An attack could be a fact before you know that you have connected to the wrong machine. I (and they) say: upgrade to PuTTY 0.55 - now."

12 of 72 comments (clear)

Min score:

Reason:

Sort:

Nice response time by curtisk · 2004-08-04 00:43 · Score: 4, Insightful

I've used Putty now and again, but I know alot of others that do use it on a daily basis...so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated

--
Sehr geehrter Toilettenbenutzer!
1. Re:Nice response time by Richard_at_work · 2004-08-04 07:39 · Score: 3, Interesting
  
  so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated
  
  Not meaning to be nasty to the putty team, but theres no verifiable date of discovery of this bug, and the last release was 2003. This bug could have been known to the team 6 months ago, and only fixed now :).
2. Re:Nice response time by Simon+Tatham · 2004-08-05 02:56 · Score: 4, Informative
  
  That's true, we didn't mention that anywhere, did we?
  
  We were notified of the problem six days before the 0.55 release went out. I'd have liked to get it turned around faster than that, but it took me a few days of bouncing email back and forth to get a coherent description of one of the two problems (the less important one, as it turned out).
  
  But of course you've only got my word for that...
Clarification by SpaceLifeForm · 2004-08-04 00:48 · Score: 5, Informative

It's the server that you think you can trust that can execute code on your Putty client.
The writeup is not clear:
The bug may allow servers to use PuTTY to act as a machine that you trust,...
Well, of course you trust your client machine.

--
You are being MICROattacked, from various angles, in a SOFT manner.
1. Re:Clarification by whoisjoe · 2004-08-04 03:35 · Score: 5, Funny
  
  Actually, my client machine has been acting kind of weird lately. I think it's plotting against me, trying to turn my family and friends against...hey what are you do-OW!
  
  THERE IS NOTHING TO FEAR. ALL IS WELL. NOTHING TO SEE HERE. PLEASE KEEP MOVING.
2. Re:Clarification by dstone · 2004-08-04 03:44 · Score: 3, Funny
  
  Well, of course you trust your client machine.
  
  Not if my client machine runs Windows.
Re:PuTTY tip by Anonymous Coward · 2004-08-04 01:02 · Score: 5, Informative

Open Putty, Category -> Connection -> SSH -> Tunnels.

In the port forwarding section, add new forwarded port.

Pick a source port. Any port will work, but 1080 is the standard for socks 5 proxies. Leave Destination blank, and choose Dynamic (instead of Local or Remote). Click the add button, and you should see D1080 listed in the box.

Okay, now you can save your session and start it.

In applications you can go into their connection settings section and set localhost, port 1080 as the SOCKS host. The application will then tunnel everything through your SSH connection.
Recent SSH chatter... by dpilot · 2004-08-04 01:21 · Score: 3, Funny

I've heard lately about a lot more SSH chatter showing up than normal. There's been some speculation about an exploit turning up, soon. Perhaps this is it.

Or maybe there's Yet More To Come.

--
The living have better things to do than to continue hating the dead.
1. Re:Recent SSH chatter... by Col.+Klink+(retired) · 2004-08-04 02:06 · Score: 3, Informative
  
  This exploit attacks a client as it conencts to a server. Seeing ssh chatter in your logs means someone is trying to exploit your server.
  
  --
  -- Don't Tase me, bro!
Mirrors by MikeSweetser · 2004-08-04 03:09 · Score: 3, Informative

It appears the main PuTTY site has been Slashdotted: here's a few more links:

http://putty.obengelb.de/
http://www.puttyssh.org/
http://putty.activalink.net/

And a nice mirrors list.

Mike
Seriously though by GigsVT · 2004-08-04 03:51 · Score: 5, Informative

Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

Even with strict checking on, most of us are used to blowing records out of known hosts files when they don't match, due to system upgrades causing the old records to be invalid all the time.

--
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Why not front page? by gmhowell · 2004-08-04 04:49 · Score: 4, Interesting

Why isn't this on the front page? Oh, right, let's bury news of problems with cool programs, but a minor issue (solved six months ago) in a Microsoft program gets front page mission.

Keep up the good work Rob. Hey, where are the 503's today? It hardly seems like the dot without them.

Yeah, yeah, -1, flamebait -1 troll. Who gives a crap? Not Rob or OSDTNVHPR

--
Jesus was all right but his disciples were thick and ordinary. -John Lennon