ASA-2019-00552 – PuTTY: Use-after-free on SSH1_MSG_DISCONNECT


Allele Security Alert

ASA-2019-00552

Identifier(s)

ASA-2019-00552, CVE-2019-17069

Title

Use-after-free on SSH1_MSG_DISCONNECT

Vendor(s)

PuTTY team

Product(s)

PuTTY

Affected version(s)

PuTTY versions before 0.73

Fixed version(s)

PuTTY version 0.73

Proof of concept

Unknown

Description

An SSH-1 server could trigger an access to freed memory by sending the SSH1_MSG_DISCONNECT message.

Technical details

In ssh2_connection_filter_queue(), when we process a disconnect message, it carefully avoids dereferencing the input ‘ppl’ pointer after ssh_remote_error() returns, because it will have been freed. But ssh1_connection_filter_queue() didn’t have the same safety precaution.

Credits

Ulrich Jannet

Reference(s)

PuTTY 0.73 is released
https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html

Download PuTTY: release 0.73
https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.73.html

Fix use-after-free on SSH1_MSG_DISCONNECT.
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=69201ad8936fe0ff1b8723b7a43accb5e9f1c888

CVE-2019-17069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17069

CVE-2019-17069
https://nvd.nist.gov/vuln/detail/CVE-2019-17069

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 7, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.