New PuTTY version after almost 2 years
The open source SSH client "PuTTY", which is very popular with Windows administrators, was released in a new version last Saturday. This update is the first to come after about 20 months and closes some important security gaps.
Users should update immediately
The currently released version 0.71 from March, 16th 2019 can be downloaded on the official project homepage.
The project released 32- and 64-bit MSI installer packages as well as a source code archive. As usual with PuTTY, you can also download all components of the package individually as executables.
Due to the closed vulnerabilities mentioned in the changelog, we can only recommend to update all PuTTY clients immediately.
As with all security-relevant software, the digital fingerprints, i.e. hashes, should be checked after the download. Alternatively, the team of authors also offers GPG signatures for checking the authenticity of the archives. Furthermore, you should not download this tool from third party websites or unknown sources except for the offcial mirrors. In particular, security-relevant open source software is also used by unchecked, third-party sources to infiltrate modified, malicious software into systems.
Further information can be found on the official project homepage.
EU funding program for the security of open source software
With the support program EU-FOSSA, in which the European Commission offered rewards for submitted bugs in a selection of open source software, PuTTY was also considered in the last round. For the period from January 16th to December 15th 2019, a total reward of 90,000€ was offered on PuTTY related, filled security gaps
As a result of this program, the authors of PuTTY close with the current release five vulnerabilities submitted to EU-FOSSA:
- a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification
- potential recycling of random numbers used in cryptography
- on Windows, hijacking by a malicious help file in the same directory as the executable
- on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding
- multiple denial-of-service attacks that can be triggered by writing to the terminal
For more information see the bug bounty page.
Other bugfixes by the team of authors
Besides the bugs reported by EU-FOSSA, the team closes more bugs and brings improvements in the area of security and usability.
All in all, one can expect further fixes from the EU program in the course of 2019, after the further development of PuTTY had become quieter.
PuTTY is in many programs
It should also not be forgotten that PuTTY, as it is open source software, is being used directly or indirectly in other products. The Multi-PuTTY-Manager is one such example that uses an already existing PuTTY installation. Again updating the PuTTY installation to close potential vulnerabilities is paramount. The same naturally applies to AutoPuTTY and similar software.
Moreover it is also important to pay attention to software that integrates PuTTY or parts of it permanently or invisibly for the user. One example is WinSCP, which uses the PuTTY package component PageAnt. In this case you may have to wait for a new release of the program.
The authors of PuTTY maintain a list of software containing PuTTY.
This blog post originally appeared on the german credativ blog.