SSH client PuTTY contained serious key exchange flaw

• The flaw could have allowed a man-in-the-middle (MITM) attacker to compromise SSH sessions secretly.
• The latest version of the SSH client addresses this vulnerability along with other security flaws.

Popular SSH client PuTTY was found to have a critical bug that could allow MITM attacks. The flaw, designated as vuln-dss-verify, primarily affects DSA signature checking and can provide the attacker an opportunity to bypass signature checks. Apparently, vuln-dss-verify was evident only on PuTTY’s development builds created in 2019.

The big picture

• The vulnerability was discovered by researcher Filipe Casal as part of a bug bounty program under EU-FOSSA project.
• Vulnerable versions of PuTTY had a fixed signature that allowed attackers to easily bypass signature checks.
• All the release versions of PuTTY (including 0.70) other than development builds were unaffected by the bug.
• Only development snapshot builds from us dated 2019, before 2019-02-11, are affected.
• In addition, PuTTY with no DSA host keys cached on the OS also remained unaffected.

Why it matters - Simon Tatham, the creator of the free SSH client, shed light on how the bug could be disastrous.

“If PuTTY has any cached ssh-dss key for the server that the client is trying to connect to, the man-in-the-middle attacker can silently compromise the connection. If PuTTY has no DSA host key for the target server, and the server has a real DSA host key, the attacker can arrange that the host key confirmation dialog presented to the client user is the correct one and still compromise the connection if that key is accepted,” he wrote in a blog.

Fixed in version 0.71

Tatham’s post also mentions that the flaw is fixed in the latest version 0.71 of PuTTY. On the other hand, this version also fixes other issues such as buffer overflow errors observable on Windows and Unix operating systems.