oss-sec mailing list archives
Re: CVE Request: PuTTY fails to clear private key information from memory
From: cve-assign () mitre org
Date: Sat, 28 Feb 2015 12:37:10 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Use CVE-2015-2157. This falls into a narrow set of situations in which a CVE ID can be assigned even though the issue does not cross privilege boundaries. The vendor is specifically announcing this as "This is a security vulnerability." (Also, wiping private-key memory is a conventional behavior seen in many products. It is not the same as wiping any memory block that any researcher may feel is sensitive in some way.)
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html
However, if you ever told Pageant to delete a key from memory, it would not have properly deleted it: it would still have retained a copy by mistake due to this bug.
Because of the "this bug" wording, a single CVE ID is assigned. However, in general, these two cases could be distinguished: - violating a user's reasonable expectations about what preemptive memory wiping should occur - providing a UI feature advertised as a way to tell a product to wipe a key from memory, accompanied by actual behavior in which no wiping occurs with separate CVE IDs. In other words, there would be two CVE IDs if there were two bugs (one for each case) fixed independently. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU8fxVAAoJEKllVAevmvmsPEAIAI+BEhf4vgQeJ0DUdXbbYRsH gJHqdlKZSMrPsu3TKKkahVLwifZaijJvMqTItzvZOPJQ5/E5Wv2CfHZxWiJYDSwq JEszf1IUAA0trny8h8wDtj8sAbDG5m/yTYEIp68bp/zxn/1g7ti9arzBjZXQUmpM 3HAJE8l2ajIwRgtq3TJagTJ8uFpMb9qh1fXmL5SoMP8y/dfRPgT0IntIQtg3LzgB RLPFpY+6Ftk1GSK7ZcamWt1CSnk/UPWjKCbpqTWa6z4HNdcNuO6CFwpMLH/e3P2t pTFlLW+z6pxTmPAfkB9mspAR2vGVyfbBMpktxwpUTSNtkxemfC8RAU60WvRyOHc= =aQwW -----END PGP SIGNATURE-----
Current thread:
- CVE Request: PuTTY fails to clear private key information from memory Patrick Coleman (Feb 28)
- Re: CVE Request: PuTTY fails to clear private key information from memory cve-assign (Feb 28)
- Re: CVE Request: PuTTY fails to clear private key information from memory Zubin Mithra (Feb 28)