Vulnerability Description
The rsa_verify function in PuTTY before 0.63 (1) does not clear sensitive process memory after use and (2) does not free certain structures containing sensitive process memory, which might allow local users to discover private RSA and DSA keys.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Putty | Putty | 0.45 |
| Simon Tatham | Putty | <= 0.62 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00035.html
- http://secunia.com/advisories/54379Vendor Advisory
- http://secunia.com/advisories/54533
- http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped
- http://www.debian.org/security/2013/dsa-2736
- http://www.openwall.com/lists/oss-security/2013/08/06/11
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00035.html
- http://secunia.com/advisories/54379Vendor Advisory
- http://secunia.com/advisories/54533
- http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped
- http://www.debian.org/security/2013/dsa-2736
- http://www.openwall.com/lists/oss-security/2013/08/06/11
FAQ
What is CVE-2013-4208?
CVE-2013-4208 is a vulnerability with a CVSS score of 2.1 (LOW). The rsa_verify function in PuTTY before 0.63 (1) does not clear sensitive process memory after use and (2) does not free certain structures containing sensitive process memory, which might allow local...
How severe is CVE-2013-4208?
CVE-2013-4208 has been rated LOW with a CVSS base score of 2.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-4208?
Check the references section above for vendor advisories and patch information. Affected products include: Putty Putty, Simon Tatham Putty.