Multiple denial-of-service attacks that can be triggered by writing to the terminal exist in PuTTY versions before 0.71.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Multiple denial-of-service attacks that can be triggered by writing to the terminal exist in PuTTY     versions before 0.71. (CVE-2019-9897)

Note that Nessus relies on the presence of the package as reported by the vendor.

Multiple vulnerabilities were found in the PuTTY SSH client, which could result in denial of service and potentially the execution of arbitrary code. In addition, in some situations random numbers could potentially be re-used.

For Debian 8 'Jessie', these problems have been fixed in version 0.63-10+deb8u2.

We recommend that you upgrade your putty packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were found in the PuTTY SSH client, which could result in denial of service and potentially the execution of arbitrary code. In addition, in some situations random numbers could potentially be re-used.

This update for putty fixes the following issues :

Update to new upstream release 0.71 [boo#1129633]

  - CVE-2019-9894: Fixed a remotely triggerable memory     overwrite in RSA key exchange, which can occur before     host key verification potential recycling of random     numbers used in cryptography.

  - CVE-2019-9895: Fixed a remotely triggerable buffer     overflow in any kind of server-to-client forwarding.

  - CVE-2019-9897: Fixed multiple denial-of-service attacks     that can be triggered by writing to the terminal.

  - CVE-2019-9898: Fixed potential recycling of random     numbers used in cryptography

  - CVE-2019-9896 (Windows only): Fixed hijacking by a     malicious help file in the same directory as the     executable

  - Major rewrite of the crypto code to remove cache and     timing side channels.

This is new version of putty fixing few security vulnerabilities.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host has a version of PuTTY installed that is prior to 0.71. It is, therefore, affected by multiple vulnerabilities including:

  - A remotely triggerable buffer overflow in any kind of     server-to-client forwarding. (CVE-2019-9895)

  - Potential recycling of random numbers used in cryptography.
    (CVE-2019-9898)

  - A remotely triggerable memory overwrite in RSA key exchange can     occur before host key verification. (CVE-2019-9894)

This is new version of putty.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
254051	Linux Distros Unpatched Vulnerability : CVE-2019-9897	Nessus	Misc.	high
124283	Debian DLA-1763-1 : putty security update	Nessus	Debian Local Security Checks	critical
123692	Debian DSA-4423-1 : putty - security update	Nessus	Debian Local Security Checks	critical
123660	openSUSE Security Update : putty (openSUSE-2019-1113)	Nessus	SuSE Local Security Checks	critical
123479	Fedora 28 : putty (2019-9e1a1cd634)	Nessus	Fedora Local Security Checks	critical
123418	PuTTY < 0.71 Multiple Vulnerabilities	Nessus	Windows	critical
123139	Fedora 29 : putty (2019-5776dfe300)	Nessus	Fedora Local Security Checks	critical

Detections

Analytics

CVE-2019-9897

high

Tenable Plugins

high

critical

critical

critical

critical

critical

critical