Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


If you are using putty, update it!
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

If you are using putty, update it!

NeoonNeoon Community Contributor, Veteran
edited March 2019 in General

Security fixes found by an EU-funded bug bounty programme:

  • a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification
  • potential recycling of random numbers used in cryptography
  • on Windows, hijacking by a malicious help file in the same directory as the executable
  • on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding
  • multiple denial-of-service attacks that can be triggered by writing to the terminal
  • Other security enhancements: major rewrite of the crypto code to remove cache and timing side channels.

https://www.chiark.greenend.org.uk/~sgtatham/putty/

Holy christ.

«1

Comments

  • This should be pinned @FAT32

    Thanked by 2FAT32 dahartigan
  • Thanked by 3reikuzan eol amstel
  • angstromangstrom Moderator

    Putty?

    Thanked by 2Janevski eol
  • angstromangstrom Moderator

    @angstrom said:
    Putty?

    Oh, you mean PuTTY!

    Thanked by 1eol
  • angstromangstrom Moderator

    I'm always surprised at how long Windows lacked a native ssh-client.

    By the way, it true that Windows 10 comes with a native ssh-client? Or is it the case only beginning with a specific update of Windows 10?

  • NeoonNeoon Community Contributor, Veteran

    @angstrom said:
    I'm always surprised at how long Windows lacked a native ssh-client.

    By the way, it true that Windows 10 comes with a native ssh-client? Or is it the case only beginning with a specific update of Windows 10?

    Well it comes with some sort of Ubuntu as subsystem which has a ssh installed.

  • deankdeank Member, Troll
    edited March 2019

    Potty and PuTTY are the same thing.

    Win 10 has a native ssh client? Never heard about it. They should make one because SecureCRT has been making a killing off the same software they've had for decades.

  • angstromangstrom Moderator
    edited March 2019

    @Neoon said:

    @angstrom said:
    I'm always surprised at how long Windows lacked a native ssh-client.

    By the way, it true that Windows 10 comes with a native ssh-client? Or is it the case only beginning with a specific update of Windows 10?

    Well it comes with some sort of Ubuntu as subsystem which has a ssh installed.

    I've just checked and it appears that beginning with the Windows 10 October 2018 Update (version 1809, codename "Redstone 5"), there's a native ssh client available (indeed, it's a port of the OpenSSH client to PowerShell). For example, see:

    https://library.osu.edu/blogs/it/native-ssh-client-support-in-windows-10/

    As I understand it, this is independent of any Ubuntu subsystem (which no doubt has its own Linux ssh client).

    Thanked by 1poisson
  • SovaSova Member

    Does anyone know if Kitty has the same issues?

  • NeoonNeoon Community Contributor, Veteran

    @Sova said:
    Does anyone know if Kitty has the same issues?

    KiTTY is a fork from version 0.70 of PuTTY, the best telnet / SSH client in the world.

    Yes

  • Someone remind me to get a new binary for my XP box!

  • HxxxHxxx Member

    Just use linux as workstation...
    If you game, have a different rig for that.

  • Adam1Adam1 Member

    Hopefully a KiTTY update will follow soon

    Thanked by 1JohnRoe
  • The developer admitted that one update fixed a "'game over' level vulnerability".
    https://www.theregister.co.uk/2019/03/19/putty_patched_rsa_key_exchange_vuln/

  • Well, it's a good thing that they found the vulnerabilities! Just update your system as often ad you change underwear.

  • Oh nice, now i shall use putty again xD

  • NeoonNeoon Community Contributor, Veteran

    @youssefbasha said:
    Oh nice, now i shall use putty again xD

    Even then, WinSCP and Filezilla also a bunch other programs are affected.

  • @Neoon said:

    @youssefbasha said:
    Oh nice, now i shall use putty again xD

    Even then, WinSCP and Filezilla also a bunch other programs are affected.

    To be fair, Filezilla was an exploit with an FTP service as an afterthought.

    Also, the PuTTy author was slightly besmearched above. He said "That bug never was released, but it would have been bad. Really, really bad. Like so totally bad your penis would fall off and your nuts would shrivel. But, still, better than using an Ubuntu abstraction layer."

  • psb777psb777 Member
    edited March 2019

    @sandanista said:
    The developer admitted that one update fixed a "'game over' level vulnerability".
    https://www.theregister.co.uk/2019/03/19/putty_patched_rsa_key_exchange_vuln/

    However, that "game over" level vulnerability did not exist in any previous versions of PuTTY:

    "Luckily," he continued, "it never appeared in a released version of PuTTY[...]


    I don't think there's any reason to panic.

    The most interesting (or serious) one fixed in the new version is "a remotely triggerable memory overwrite in RSA key exchange," but my bet is the attacker can't maneuver the memory to make it anything dangerous.

  • Daniel15Daniel15 Veteran
    edited March 2019

    Note that most of the vulnerabilities are either difficult to exploit, or don't exist in a stable released version of PuTTY.

    Windows 10 has a native SSH client and server now. The server works on Windows Server 2016 too, although you need to manually download and install it (whereas on Windows 10 it's in the optional features). https://www.howtogeek.com/336775/how-to-enable-and-use-windows-10s-built-in-ssh-commands/

  • Issue solved, I updated my PUSSY PUTTY. Thanks for the heads up.

    Thanked by 1netomx
  • ChimpanzeeChimpanzee Member, Host Rep

    Been having issues and unidentified errors, after the update everything seems to running smoothly. Thank for the help boys n girls!

    Thanked by 1netomx
  • Anyone else use MobaXterm and/or know if it's also affected? https://mobaxterm.mobatek.net/

    Last update seems to be about 2 months ago.

  • I weep for humanity when people are so damn dumb they assume that everything uses the same GPL library which was NOT affected by this issue in production.

  • tomttomt Member

    Thanks for the update!

  • HostUpHostUp Member, Host Rep

    I think I am fine.. Right? Me only using localhost xd. Anyways great information!

  • @HostUp said:
    I think I am fine.. Right? Me only using localhost xd. Anyways great information!

    Kill yourself in minecraft.

  • OK , YOU RIGHT

  • fleiofleio Member

    Btw, modern putty alternative with tabs: https://www.solarwinds.com/free-tools/solar-putty

    Still uses putty under the hood and still affected by this vulnerability.

  • SplitIceSplitIce Member, Host Rep

    It's actually a real shame that there hasnt been any real inovation in the ssh client area for windows. There are a few other SSH clients but none that rival the UX of PuTTY unfortunately.

Sign In or Register to comment.