Allele Security Alert
Hijacking sockets used for local port forwarding
PuTTY versions before 0.73
PuTTY version 0.73
Proof of concept
On Windows, the listening sockets used for local port forwarding were opened in a mode that did not prevent other processes from also listening on the same ports and stealing some of the incoming connections.
Unlike sensible IP stacks, Windows requires a non-default socket option to prevent a second application from binding to a port you were already listening on, causing some of your incoming connections to be diverted. Use SO_EXCLUSIVEADDRUSE for listening sockets.
PuTTY 0.73 is released
Download PuTTY: release 0.73
winnet: use SO_EXCLUSIVEADDRUSE for listening sockets.
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 6, 2019