PuTTY vulnerability vuln-passwd-memdump

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Failure to scrub SSH-2 password from memory after use
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.53b
fixed-in: 2003-01-10 10c1d43ac6004943e8cfb55b9a8483cc080e3ea9 (0.54)

As reported in iDEFENSE Security Advisory 01.28.03, PuTTY 0.53b fails to scrub the password from a memory buffer after authentication, making it trivially easy for an attacker with access to a memory dump to recover the password. (This only applies when using SSH-2.)

This is fixed in the nightly development snapshots as of 2003-01-10, and will be fixed in the next stable release.

This vulnerability corresponds to CVE-2003-0048.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2019-03-21 07:16:27 +0000)