Home
|
FAQ
|
Feedback
|
Licence
|
Updates
|
Mirrors
|
Keys
|
Links
|
Team
Download:
Stable
·
Snapshot
|
Docs
|
Privacy
|
Changes
|
Wishlist
In all versions of PuTTY between 0.52 (when port forwarding was
introduced) and 0.72 inclusive, when PuTTY listens on a local TCP/IP
port for port-forwarding purposes, it does not set the
SO_EXCLUSIVEADDRUSE
flag which tells Windows to prevent
another application from binding a listening socket to the same port.
As a result, a malicious process running on the same machine would be able to bind to the same port, and intercept some of the incoming connections for its own purposes. Those purposes might include performing a MITM attack on the connection, forwarding the modified data back to the same port.
(To confuse matters further, PuTTY was setting the
SO_REUSEADDR
socket option, meaning that it behaved
somewhat like such a malicious process itself – it could take
over a listening port from another process.
This article
describes the behaviour of SO_REUSEADDR
and
SO_EXCLUSIVEADDRUSE
on Windows. The probable reason
for PuTTY setting SO_REUSEADDR
was that we knew that it's
necessary with Unix-derived IP stacks, to avoid trouble re-binding
ports involved in TIME_WAIT
connections, and assumed
it was necessary everywhere; but on Windows, it's not needed for
that, and turns out to be actively harmful. So PuTTY no longer sets
SO_REUSEADDR
on Windows. This didn't itself cause a
vulnerability.)
This bug was first reported by Patrick Stekovic. It has been assigned CVE-2019-17067.