CVE-2013-4208: Infoleak
First published: Mon Aug 19 2013(Updated: )
The rsa_verify function in PuTTY before 0.63 (1) does not clear sensitive process memory after use and (2) does not free certain structures containing sensitive process memory, which might allow local users to discover private RSA and DSA keys.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PuTTY | =0.45 | |
| PuTTY | =0.46 | |
| PuTTY | =0.47 | |
| PuTTY | =0.48 | |
| PuTTY | =0.49 | |
| PuTTY | =0.50 | |
| PuTTY | =0.51 | |
| PuTTY | =0.52 | |
| PuTTY | =0.53b | |
| PuTTY | =0.54 | |
| PuTTY | =0.55 | |
| PuTTY | =0.56 | |
| PuTTY | =0.57 | |
| PuTTY | =0.58 | |
| PuTTY | =0.59 | |
| PuTTY | =0.60 | |
| PuTTY | =0.61 | |
| PuTTY | <=0.62 | |
| PuTTY | =0.53 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00035.html
- http://secunia.com/advisories/54379
- http://secunia.com/advisories/54533
- http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html
- http://www.debian.org/security/2013/dsa-2736
- http://www.openwall.com/lists/oss-security/2013/08/06/11
Frequently Asked Questions
What is the severity of CVE-2013-4208?
CVE-2013-4208 is classified as a high severity vulnerability due to the potential exposure of sensitive cryptographic keys.
How do I fix CVE-2013-4208?
To fix CVE-2013-4208, upgrade PuTTY to version 0.63 or later where the vulnerability has been addressed.
Who is affected by CVE-2013-4208?
Local users running PuTTY versions prior to 0.63 are affected by CVE-2013-4208.
What are the risks associated with CVE-2013-4208?
The risks associated with CVE-2013-4208 include potential unauthorized access to private RSA and DSA keys.
Is there a workaround for CVE-2013-4208?
While upgrading is the recommended solution for CVE-2013-4208, minimizing local access can reduce the risk temporarily.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/putty
- canonical/putty
- version/putty/0.45
- version/putty/0.46
- version/putty/0.47
- version/putty/0.48
- version/putty/0.49
- version/putty/0.50
- version/putty/0.51
- version/putty/0.52
- version/putty/0.53b
- version/putty/0.54
- version/putty/0.55
- version/putty/0.56
- version/putty/0.57
- version/putty/0.58
- version/putty/0.59
- version/putty/0.60
- version/putty/0.61
- vendor/simon tatham
- version/putty/0.62
- version/putty/0.53