Download: Stable · Snapshot | Docs | Changes | Wishlist
All versions of the PuTTY suite prior to 0.72 have an integer underflow bug in the SSH-1 binary packet protocol, which might lead to a security vulnerability.
The packet length field in an SSH-1 packet takes a value which is 5 more than the number of actual data bytes in the packet. If the server sent a value less than 5, PuTTY's SSH-1 BPP code did not check it.
The resulting behaviour can vary between 32- and 64-bit builds of PuTTY, and possibly also between Linux and Windows. Possibilities include trying to allocate 232 bytes of memory and terminating the program when that fails; trying to allocate 232 bytes of memory and consuming excessive OS resources when that succeeds; passing a negative packet length to the rest of the code, with further unpredictable results.
The bug can occur before host key verification, because the length field is the same in all packets, encrypted or not. So in any situation where a bad effect can be caused by this bug, a network attacker intercepting your connection could cause the bad effect before being detected as not the real server.
This bug only affects the obsolete SSH-1 protocol, which is rarely used. In PuTTY 0.68 and later, we no longer support automatic fallback to SSH-1 from SSH-2, so any saved session configured to the default of SSH-2 will not be vulnerable to this issue.
This vulnerability was found as part of a bug bounty programme run under the auspices of the EU-FOSSA project.