FreeBSD : PuTTY -- fails to scrub private keys from memory after use (92fc2e2b-c383-11e4-8ef7-080027ef73ec)

Low Nessus Plugin ID 81659


The remote FreeBSD host is missing a security-related update.


Simon Tatham reports :

When PuTTY has sensitive data in memory and has no further need for it, it should wipe the data out of its memory, in case malware later gains access to the PuTTY process or the memory is swapped out to disk or written into a crash dump file. An obvious example of this is the password typed during SSH login; other examples include obsolete session keys, public-key passphrases, and the private halves of public keys.

PuTTY 0.63 and earlier versions, after loading a private key from a disk file, mistakenly leak a memory buffer containing a copy of the private key, in the function ssh2_load_userkey. The companion function ssh2_save_userkey (only called by PuTTYgen) can also leak a copy, but only in the case where the file it tried to save to could not be created.


Update the affected package.

See Also

Plugin Details

Severity: Low

ID: 81659

File Name: freebsd_pkg_92fc2e2bc38311e48ef7080027ef73ec.nasl

Version: $Revision: 1.2 $

Type: local

Published: 2015/03/06

Modified: 2015/03/30

Dependencies: 12634

Risk Information

Risk Factor: Low


Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:putty, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2015/03/05

Vulnerability Publication Date: 2015/02/28

Reference Information

CVE: CVE-2015-2157