New PuTTY version after almost 2 years
The open-source SSH client PuTTY, popular among Windows administrators, was released in a new version last Saturday. This update closes several critical security vulnerabilities. The last version of PuTTY was released around 20 months ago.
Users should update urgently
The newly released version 0.71 was made available for download last Saturday, March 16, 2019.
PuTTY is available as a 32- and 64-bit MSI installer package as well as a source archive. As is customary with PuTTY, all components of the package can also be downloaded individually as executables.
Based on the security vulnerabilities listed and fixed in the changelog, we can only strongly recommend updating all PuTTY clients.
As with any security-relevant software, the digital fingerprints (hashes) should be verified. Alternatively, the author team also provides GPG signatures to verify the authenticity of the archives. Furthermore, you should not download this tool from third-party, unknown sources. Security-relevant open-source software in particular is often used by unverified third-party sources to introduce modified and sometimes malicious software into systems.
You can find more information on the official project homepage.
EU funding program for the security of open-source software
With the EU-FOSSA funding program, in which the European Commission offered rewards for submitted bugs in a selection of open-source software, PuTTY was also included in the latest round. For the period from January 16, 2019 to December 15, 2019, a total reward of €90,000 was offered for PuTTY for reported security vulnerabilities.
As a result of this program, the PuTTY authors are closing five security vulnerabilities with the current release that were submitted to EU-FOSSA:
- Before host key verification, memory can be overwritten remotely during the RSA key exchange
- Possible reuse of random numbers for encryption
- On Windows, an attacker can manipulate a help file and thus gain control of PuTTY
- On Unix systems, a remotely triggered buffer overflow can be triggered
- Various denial-of-service attacks by writing to the terminal
More information about the bug bounty program is available here.
Further bug fixes by the author team
In addition to the bugs reported via EU-FOSSA, the team is fixing further issues and delivering improvements in the areas of security and usability.
Overall, the EU program suggests that further fixes can be expected over the course of 2019, after PuTTY development had become quieter.
PuTTY is embedded in many programs
It should also not be forgotten that PuTTY, as open-source software, is indeed used directly or indirectly in other products. For example, there is the Multi-PuTTY-Manager, which uses an existing PuTTY installation. Here, too, it is important to remember to update the PuTTY installation to close the security vulnerabilities. The same naturally applies to AutoPutty and similar tools.
Also important is software that integrates PuTTY or parts of it permanently or invisibly for the user. One example is WinSCP, which uses the PuTTY package component PageAnt. In this case, it may be necessary to wait for a new release of the software.
The PuTTY authors maintain a list of software that includes PuTTY.
| Categories: | News |
|---|---|
| Tags: | PuTTY Security Updates |
About the author
Peter Dreuw
Head of Sales & Marketing
about the person
Peter Dreuw has been working for credativ GmbH since 2016 and has been a team lead since 2017. Since 2021, he has been part of Instaclustr’s management team as VP Services. Following the acquisition by NetApp, his new role became “Senior Manager Open Source Professional Services”. As part of the spin-off, he became a member of the executive management as an authorized signatory. His responsibilities include leading sales and marketing. He has been a Linux user from the very beginning and has been running Linux systems since kernel 0.97. Despite extensive experience in operations, he is a passionate software developer and is also well versed in hardware-near systems.