Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

PuTTY Information for VU#958563

Date Notified:2008-11-07
Date Updated:2009-01-05
Statement Date:
Status Summary:Vulnerable

Vendor Statement

The latest release (0.60) of PuTTY will always preferentially select CTR-mode ciphers over CBC-mode, and cannot even be configured by the user to do otherwise. Therefore, it is immune to this vulnerability when talking to any server which supports CTR mode.

    Development snapshots of PuTTY beginning with 2008-11-27 will contain a countermeasure which avoids leaking information through this attack even when operating in CBC mode. Future releases of PuTTY will also contain this countermeasure.

    (That is, the countermeasures will prevent PuTTY from leaking information about data previously sent from the server to the client. Protecting data sent from client to server, such as passwords, must be done by the server.)

    We are currently not treating this vulnerability as severe enough to warrant an emergency security release.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.
     

Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information