Simon Tatham PuTTY 直到 2010-06-01 Modular Multiplication modmul 内存损坏
| CVSS 元临时分数 | 当前攻击价格 (≈) | CTI兴趣分数 |
|---|---|---|
| 9.5 | $0-$5k | 0.00 |
摘要
检测到一个被分类为棘手的安全漏洞,影响Simon Tatham PuTTY。 受此漏洞影响的是功能modmul的组件Modular Multiplication Handler。 对的操作导致 内存损坏。 此漏洞被标识为CVE-2013-4206。 没有可用的漏洞利用。 建议升级受影响的组件。
细节
检测到一个被分类为棘手的安全漏洞,影响Simon Tatham PuTTY。 受此漏洞影响的是功能modmul的组件Modular Multiplication Handler。 对的操作导致 内存损坏。 使用CWE来声明会导致 CWE-119 的问题。 此安全漏洞在 2013-08-06 由Mark Wooding 以PuTTY vulnerability vuln-modmul编号 以公告 (网站)公开发布。 索取公告的网址是chiark.greenend.org.uk。 已与供应商协调公开发布。
此漏洞被标识为CVE-2013-4206。 CVE分配发生在2013-06-12。 技术详情可用。 该漏洞的流行度高于平均水平。 没有可用的漏洞利用。 目前漏洞的结构决定了可能的价格范围为美元价USD $0-$5k。 公告指出:
In order to get as many useful bits as possible out of each division, modmul starts by shifting the modulus left so that its highest set bit appears at the top of a machine word. To correct for that shift in the following calculation, the last thing it does is to shift the entire output value left by the same number of bits, reduce it again, and shift back down. A missing bounds check can cause it to allocate the array it uses to store that output value with too little capacity, with the effect that the bit-shifting process runs off the beginning of the array and corrupts data preceding it in memory. The corrupted data will typically consist of other values involved in the same modular multiplication, and the heap block headers in between them. Since the shifted data is shifted back again immediately after the final modular reduction, this bug would be harmless (though still wrong) except for the fact that one word at the bottom of the data is not shifted back down. By choosing the inputs to modmul to have appropriate lengths relative to each other, that one unrestored word can be made to point at a heap block header. The modmul function is called during validation of any DAS signature received by PuTTY, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe.
如果存在长度,则其被声明为 未定义。 估计零日攻击的地下价格约为$25k-$100k。 公告指出:
We are currently unaware of any way in which this can lead to remote code execution or controlled memory overwriting, since the overwritten heap block cannot be assigned an arbitrary value by the attacker, only shifted left by a chosen number of bits. However, we cannot be sure of that. Nessus 扫描器包含 ID 为 69318 的插件。 分配到Windows类别。 商业漏洞扫描器Qualys能够使用插件166403 (OpenSuSE Security Update for Filezilla (openSUSE-SU-2013:1347-1))检测此问题。
升级到版本 0.63 可以解决此问题。 新版现已上线,可通过chiark.greenend.org.uk进行下载。 建议升级受影响的组件。 在漏洞披露后 立即 已经发布了可能的缓解方法。 公告包含以下备注:
This bug does not affect RSA keys.
此漏洞同样在其他漏洞数据库中有记录:SecurityFocus (BID 61599), Secunia (SA54354), Vulnerability Center (SBV-40972) , Tenable (69318)。
产品
类型
供应商
名称
版本
许可证
CPE 2.3
CPE 2.2
CVSSv4
VulDB 向量: 🔍VulDB 可靠性: 🔍
CVSSv3
VulDB 元基础分数: 10.0VulDB 元临时分数: 9.5
VulDB 基本分数: 10.0
VulDB 临时得分: 9.5
VulDB 向量: 🔍
VulDB 可靠性: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 向量 | 复杂性 | 身份验证 | 保密 | 完整性 | 可用性 |
|---|---|---|---|---|---|
| 开锁 | 开锁 | 开锁 | 开锁 | 开锁 | 开锁 |
| 开锁 | 开锁 | 开锁 | 开锁 | 开锁 | 开锁 |
| 开锁 | 开锁 | 开锁 | 开锁 | 开锁 | 开锁 |
VulDB 基本分数: 🔍
VulDB 临时得分: 🔍
VulDB 可靠性: 🔍
NVD 基本分数: 🔍
利用
分类: 内存损坏CWE: CWE-119
CAPEC: 🔍
ATT&CK: 🔍
身体的: 否
本地: 否
远程: 是
可用性: 🔍
状态: 未定义
EPSS Score: 🔍
EPSS Percentile: 🔍
价格预测: 🔍
当前价格估算: 🔍
| 0-Day | 开锁 | 开锁 | 开锁 | 开锁 |
|---|---|---|---|---|
| 今天 | 开锁 | 开锁 | 开锁 | 开锁 |
Nessus ID: 69318
Nessus 名称: PuTTY 0.52 to 0.62 Multiple Vulnerabilities
Nessus 文件: 🔍
Nessus 风险: 🔍
Nessus 家庭: 🔍
OpenVAS ID: 892736
OpenVAS 名称: Debian Security Advisory DSA 2736-1 (putty - several vulnerabilities
OpenVAS 文件: 🔍
OpenVAS 家庭: 🔍
Qualys ID: 🔍
Qualys 名称: 🔍
威胁情报
利益: 🔍活跃演员: 🔍
活跃的APT团体: 🔍
对策
建议: 升级状态: 🔍
反应时间: 🔍
0天时间: 🔍
曝光时间: 🔍
升级: PuTTY 0.63
时间轴
2013-06-12 🔍2013-08-05 🔍
2013-08-05 🔍
2013-08-06 🔍
2013-08-06 🔍
2013-08-06 🔍
2013-08-12 🔍
2013-08-13 🔍
2013-08-15 🔍
2013-08-19 🔍
2021-05-21 🔍
来源
公告: PuTTY vulnerability vuln-modmul研究人员: Mark Wooding
状态: 已确认
确认: 🔍
已协调: 🔍
CVE: CVE-2013-4206 (🔍)
GCVE (CVE): GCVE-0-2013-4206
GCVE (VulDB): GCVE-100-9945
OVAL: 🔍
SecurityFocus: 61599 - PuTTY 'getstring()' Function Multiple Integer Overflow Vulnerabilities
Secunia: 54354 - PuTTY Multiple Integer Overflow Vulnerabilities, Moderately Critical
OSVDB: 96210
Vulnerability Center: 40972 - PuTTY 0.52 - 0.62 \x27modmul\x27 Heap-Corruption Buffer Vulnerability Allows Remote DoS, Medium
其他: 🔍
另见: 🔍
条目
已创建: 2013-08-15 12時09分已更新: 2021-05-21 14時34分
更改: 2013-08-15 12時09分 (87), 2017-05-08 09時03分 (4), 2021-05-21 14時34分 (2)
完整: 🔍
Cache ID: 216:A9A:103
暂时没有任何评论。 语言: zh + en.
请登录后发表评论。