Home |
Licence |
FAQ |
Docs |
Download |
Keys |
Links
Mirrors |
Updates |
Feedback |
Changes |
Wishlist |
Team
PuTTY 0.63 and earlier versions implement Diffie-Hellman key exchange without checking that the value sent by the server is within the range [1,p-1]. This range check is required by section 8 of RFC 4253.
PuTTY 0.64 does fix this. In fact, it enforces the slightly smaller range [2,p-2], since values 1 and p-1 are also worthless for secure Diffie-Hellman.
Thanks to Matta Security for reporting this bug.
Matta considers this to be a security vulnerability, on the grounds that a Diffie-Hellman value of zero (for example) sent by the server, if not rejected by the client, would constitute a weak key and permit even a passive eavesdropper to read the session traffic. Matta has assigned this issue the id "MATTA-2015-002"; we were given this URL for the forthcoming advisory, but as of the time of writing it has not yet appeared.
With respect to Matta, we do not classify this as a vulnerability: a server sending a value of zero on purpose could just as easily expose the session traffic by other methods anyway (e.g. simply sending a copy of the traffic to whoever it wanted to), and given the range of values from which Diffie-Hellman keys are selected, a server sending the value zero by accident would happen with probability far, far lower than a spontaneous collision in a secure hash function, so if spontaneous hash collision is not considered a vulnerability then neither should this be.
Audit trail for this bug.