New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
If you are using putty, update it!
Security fixes found by an EU-funded bug bounty programme:
- a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification
- potential recycling of random numbers used in cryptography
- on Windows, hijacking by a malicious help file in the same directory as the executable
- on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding
- multiple denial-of-service attacks that can be triggered by writing to the terminal
- Other security enhancements: major rewrite of the crypto code to remove cache and timing side channels.
https://www.chiark.greenend.org.uk/~sgtatham/putty/
Holy christ.
Comments
This should be pinned @FAT32
Putty?
Oh, you mean PuTTY!
I'm always surprised at how long Windows lacked a native ssh-client.
By the way, it true that Windows 10 comes with a native ssh-client? Or is it the case only beginning with a specific update of Windows 10?
Well it comes with some sort of Ubuntu as subsystem which has a ssh installed.
Potty and PuTTY are the same thing.
Win 10 has a native ssh client? Never heard about it. They should make one because SecureCRT has been making a killing off the same software they've had for decades.
I've just checked and it appears that beginning with the Windows 10 October 2018 Update (version 1809, codename "Redstone 5"), there's a native ssh client available (indeed, it's a port of the OpenSSH client to PowerShell). For example, see:
https://library.osu.edu/blogs/it/native-ssh-client-support-in-windows-10/
As I understand it, this is independent of any Ubuntu subsystem (which no doubt has its own Linux ssh client).
Does anyone know if Kitty has the same issues?
Yes
Someone remind me to get a new binary for my XP box!
Just use linux as workstation...
If you game, have a different rig for that.
Hopefully a KiTTY update will follow soon
The developer admitted that one update fixed a "'game over' level vulnerability".
https://www.theregister.co.uk/2019/03/19/putty_patched_rsa_key_exchange_vuln/
Well, it's a good thing that they found the vulnerabilities! Just update your system as often ad you change underwear.
Oh nice, now i shall use putty again xD
Even then, WinSCP and Filezilla also a bunch other programs are affected.
To be fair, Filezilla was an exploit with an FTP service as an afterthought.
Also, the PuTTy author was slightly besmearched above. He said "That bug never was released, but it would have been bad. Really, really bad. Like so totally bad your penis would fall off and your nuts would shrivel. But, still, better than using an Ubuntu abstraction layer."
However, that "game over" level vulnerability did not exist in any previous versions of PuTTY:
I don't think there's any reason to panic.
The most interesting (or serious) one fixed in the new version is "a remotely triggerable memory overwrite in RSA key exchange," but my bet is the attacker can't maneuver the memory to make it anything dangerous.
Note that most of the vulnerabilities are either difficult to exploit, or don't exist in a stable released version of PuTTY.
Windows 10 has a native SSH client and server now. The server works on Windows Server 2016 too, although you need to manually download and install it (whereas on Windows 10 it's in the optional features). https://www.howtogeek.com/336775/how-to-enable-and-use-windows-10s-built-in-ssh-commands/
Issue solved, I updated my
PUSSYPUTTY. Thanks for the heads up.Been having issues and unidentified errors, after the update everything seems to running smoothly. Thank for the help boys n girls!
Anyone else use MobaXterm and/or know if it's also affected? https://mobaxterm.mobatek.net/
Last update seems to be about 2 months ago.
I weep for humanity when people are so damn dumb they assume that everything uses the same GPL library which was NOT affected by this issue in production.
Thanks for the update!
I think I am fine.. Right? Me only using localhost xd. Anyways great information!
Kill yourself in minecraft.
OK , YOU RIGHT
Btw, modern putty alternative with tabs: https://www.solarwinds.com/free-tools/solar-putty
Still uses putty under the hood and still affected by this vulnerability.
It's actually a real shame that there hasnt been any real inovation in the ssh client area for windows. There are a few other SSH clients but none that rival the UX of PuTTY unfortunately.