PuTTY Information for VU#845620

Multiple RSA implementations fail to properly handle signatures

Status

Not Affected

Vendor Statement

I do not believe that any program in the PuTTY suite is, or has ever been, vulnerable to this attack.

The RSA verification code is in the function rsa2_verifysig() in our source file sshrsa.c, and a quick inspection shows clearly that it rigorously enforces that the ASN.1 data and hash value must be at the very bottom of the PKCS#1 padded integer.

For good measure, our RSA key generator does not, and has never, generated keys with an exponent of 3. (This has nothing to do with whether we're vulnerable to the attack itself, of course, but it does mean we are also not generating keys which can be abused to mount the attack against other systems.)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.