FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

PuTTY -- fails to scrub private keys from memory after use

Affected packages
putty < 0.64

Details

VuXML ID 92fc2e2b-c383-11e4-8ef7-080027ef73ec
Discovery 2015-02-28
Entry 2015-03-05

Simon Tatham reports:

When PuTTY has sensitive data in memory and has no further need for it, it should wipe the data out of its memory, in case malware later gains access to the PuTTY process or the memory is swapped out to disk or written into a crash dump file. An obvious example of this is the password typed during SSH login; other examples include obsolete session keys, public-key passphrases, and the private halves of public keys.

PuTTY 0.63 and earlier versions, after loading a private key from a disk file, mistakenly leak a memory buffer containing a copy of the private key, in the function ssh2_load_userkey. The companion function ssh2_save_userkey (only called by PuTTYgen) can also leak a copy, but only in the case where the file it tried to save to could not be created.

References

CVE Name CVE-2015-2157
URL http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html