Saturday, January 18, 2025
HomeComputer SecurityPuTTY 0.71 Released - SSH Client Updated To Fix a Large Number...

PuTTY 0.71 Released – SSH Client Updated To Fix a Large Number of Security Vulnerabilities

Published on

SIEM as a Service

Follow Us on Google News

The free and open-source SSH client updated with the fix for a number of Security Vulnerabilities including the one in RSA key exchange and the latest version is PuTTY 0.71.

PuTTY is an SSH and telnet client for the Windows platform. PuTTY is an open source Project that is available with source code and is developed and supported by a group of volunteers.

PuTTY is one of the most widely used SSH clients to Cloud server, Networking devices, and Virtual private servers. It remains as a standard tool to connect with remote devices for a number of years.

The latest release of PuTTY 0.71 includes fixes for a number of security vulnerabilities.

DSA signature check bypass

The bug affects development snapshot versions dated 2019, before 2019-02-11 of PuTTY and the release versions not impacted with the bug. The vulnerability allows an attacker to steal SSH sessions through man-in-the-middle attacks.

Integer overflow

All the version’s up to 0.70 PuTTY’ RSA key exchange failed to enforce the RSA keys specified in RFC 4432 sent by the server, starting from PuTTY 0.71, now enforces the minimum key lengths specified in RFC 4432.

Potential Malicious code execution

With Version 0.70 and below, if you launch help then it looks for the putty.chm file, if somebody inserted malicious codes with the file then it executed, this is because HTML Help files (.chm) can arrange in turn to run code of their choice.

With Version 0.71 the CHM is protected against malicious modification by the Authenticode signature.

Buffer Overflow in Unix PuTTY

Up to and including version 0.70, the Unix PuTTY tools used select(2) to watch their collections of active Unix file descriptors for activity. As of 0.71, all the Unix PuTTY tools have switched to monitoring file descriptors using poll(2), which does not have this API bug.

Authentication Prompts

Up to and including version 0.70, the PuTTY tools had no way to indicate whether a piece of terminal output was a genuine user-authentication prompt, starting from version 0.71, the data that was legitimately emitted by the local PuTTY during SSH connection setup is marked with what our code describes as a ‘trust sigil’.

Cryptographic Random Numbers

Up to version 0.70 cryptographic random number generator could occasionally use the same batch of random bytes twice, with that entire random number generator has been completely replaced with a freshly written one based on Schneier and Ferguson’s algorithm.

DoS if Many Unicode

Up to version 0.70, PuTTY’s terminal emulator supports remembering an unlimited number of combining characters in each character cell of the terminal. With 0.71, this is fixed by limiting each character cell to at most 32 combining characters.

DoS by Terminal output

With version 0.70 and below the GTK front end to PuTTY’s terminal emulator would fail an assertion in a corner case, starting from 0.71, this assertion failure is fixed. PuTTY will cleanly handle this case.

DoS by Terminal output CJK

Up to version 0.70, PuTTY’s terminal emulator would fail an assertion if the terminal is exactly one column wide and the terminal output stream tries to print a width-2 character. With 0.71, this assertion failure is fixed.

Users are recommended to PuTTY 0.71 that covers all the bugs, Latest version of PuTTY can be downloaded from here.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Ghidra – Free Reverse Engineering Tool Released by NSA

Wireshark 3.0.0 Released With Support for Npcap Packet Capturing Library

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Is this Website Safe: How to Check Website Safety – 2025

is this website safe? In this digital world, Check a website is safe is...

Garak – An Open Source LLM Vulnerability Scanner for AI Red-Teaming

Garak is a free, open-source tool specifically designed to test the robustness and reliability...

LegionLoader Abusing Chrome Extensions To Deliver Infostealer Malware

LegionLoader, a C/C++ downloader malware, first seen in 2019, delivers payloads like malicious Chrome...