Allele Security Alert
ASA-2019-00552
Identifier(s)
ASA-2019-00552, CVE-2019-17069
Title
Use-after-free on SSH1_MSG_DISCONNECT
Vendor(s)
PuTTY team
Product(s)
PuTTY
Affected version(s)
PuTTY versions before 0.73
Fixed version(s)
PuTTY version 0.73
Proof of concept
Unknown
Description
An SSH-1 server could trigger an access to freed memory by sending the SSH1_MSG_DISCONNECT message.
Technical details
In ssh2_connection_filter_queue(), when we process a disconnect message, it carefully avoids dereferencing the input ‘ppl’ pointer after ssh_remote_error() returns, because it will have been freed. But ssh1_connection_filter_queue() didn’t have the same safety precaution.
Credits
Ulrich Jannet
Reference(s)
PuTTY 0.73 is released
https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html
Download PuTTY: release 0.73
https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.73.html
Fix use-after-free on SSH1_MSG_DISCONNECT.
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=69201ad8936fe0ff1b8723b7a43accb5e9f1c888
CVE-2019-17069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17069
CVE-2019-17069
https://nvd.nist.gov/vuln/detail/CVE-2019-17069
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 7, 2019