Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2015-2157

Overview

Vulnerability Score 2.1 2.1
CVE Id CVE-2015-2157
Last Modified 02 Sep 2015 01:30:42
Published 27 Mar 2015 10:59:05
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector LOCAL
Access Complexity LOW
Authentication NONE

CVE-2015-2157

Summary

The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

Vulnerable Systems

Operating System

  • Debian Linux 7.0

  • Fedoraproject Fedora 20

  • Fedoraproject Fedora 22

  • Novell Opensuse 13.1

  • Novell Opensuse 13.2

Application

  • Greenend Putty 0.63

  • Simon Tatham Putty 0.51

  • Simon Tatham Putty 0.52

  • Simon Tatham Putty 0.53

  • Simon Tatham Putty 0.53b

  • Simon Tatham Putty 0.54

  • Simon Tatham Putty 0.55

  • Simon Tatham Putty 0.56

  • Simon Tatham Putty 0.57

  • Simon Tatham Putty 0.58

  • Simon Tatham Putty 0.59

  • Simon Tatham Putty 0.60

  • Simon Tatham Putty 0.61

  • Simon Tatham Putty 0.62

  • Simon Tatham Putty 0.63


References

CONFIRM - http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html

CONFIRM - http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

MLIST - [oss-security] 20150228 Re: CVE Request: PuTTY fails to clear private key information from memory

MLIST - [oss-security] 20150228 CVE Request: PuTTY fails to clear private key information from memory

DEBIAN - DSA-3190

SUSE - openSUSE-SU-2015:0474

FEDORA - FEDORA-2015-3204

FEDORA - FEDORA-2015-3070

FEDORA - FEDORA-2015-3160


Last Updated: 27 May 2016 11:08:14