CVE-2013-4206: Buffer Overflow
First published: Mon Aug 19 2013(Updated: )
Heap-based buffer underflow in the modmul function in sshbn.c in PuTTY before 0.63 allows remote SSH servers to cause a denial of service (crash) and possibly trigger memory corruption or code execution via a crafted DSA signature, which is not properly handled when performing certain bit-shifting operations during modular multiplication.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PuTTY | =0.45 | |
| PuTTY | =0.46 | |
| PuTTY | =0.47 | |
| PuTTY | =0.48 | |
| PuTTY | =0.49 | |
| PuTTY | =0.50 | |
| PuTTY | =0.51 | |
| PuTTY | =0.52 | |
| PuTTY | =0.53b | |
| PuTTY | =0.54 | |
| PuTTY | =0.55 | |
| PuTTY | =0.56 | |
| PuTTY | =0.57 | |
| PuTTY | =0.58 | |
| PuTTY | =0.59 | |
| PuTTY | =0.60 | |
| PuTTY | =0.61 | |
| PuTTY | =2010-06-01-r8967 | |
| PuTTY | <=0.62 | |
| PuTTY | =0.53 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00035.html
- http://secunia.com/advisories/54379
- http://secunia.com/advisories/54533
- http://svn.tartarus.org/sgt/putty/sshbn.c?sortby=date&r1=9977&r2=9976&pathrev=9977
- http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html
- http://www.debian.org/security/2013/dsa-2736
- http://www.openwall.com/lists/oss-security/2013/08/06/11
Frequently Asked Questions
What is the severity of CVE-2013-4206?
CVE-2013-4206 is classified as a denial of service vulnerability that can lead to application crashes.
How do I fix CVE-2013-4206?
To fix CVE-2013-4206, you should upgrade to PuTTY version 0.63 or later.
What software is affected by CVE-2013-4206?
CVE-2013-4206 affects PuTTY versions up to 0.62.
Can CVE-2013-4206 potentially lead to code execution?
Yes, CVE-2013-4206 may allow remote servers to trigger memory corruption or even code execution.
Is CVE-2013-4206 a local or remote vulnerability?
CVE-2013-4206 is a remote vulnerability, allowing attackers to exploit it via crafted DSA signatures.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/putty
- canonical/putty
- version/putty/0.45
- version/putty/0.46
- version/putty/0.47
- version/putty/0.48
- version/putty/0.49
- version/putty/0.50
- version/putty/0.51
- version/putty/0.52
- version/putty/0.53b
- version/putty/0.54
- version/putty/0.55
- version/putty/0.56
- version/putty/0.57
- version/putty/0.58
- version/putty/0.59
- version/putty/0.60
- version/putty/0.61
- version/putty/2010-06-01-r8967
- vendor/simon tatham
- version/putty/0.62
- version/putty/0.53