cbcvebase.
CVE-2017-6542
published 2017-03-27

CVE-2017-6542: The ssh_agent_channel_data function in PuTTY before 0.68 allows remote attackers to have unspecified impact via a large length value in an agent protocol…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
21.82%
97.3th percentile
The ssh_agent_channel_data function in PuTTY before 0.68 allows remote attackers to have unspecified impact via a large length value in an agent protocol message and leveraging the ability to connect to the Unix-domain socket representing the forwarded agent connection, which trigger a buffer overflow.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianputty< putty 0.67-3 (bookworm)putty 0.67-3 (bookworm)
opensuseleap
opensuse_projectleap
puttyputty<= 0.67
puttyputty>= 0 < 0.67-30.67-3
puttyputty>= 0 < 0.67-30.67-3
puttyputty>= 0 < 0.67-30.67-3
puttyputty>= 0 < 0.67-30.67-3

Detection & IOCsextracted from sources · hover to see the quote

command(echo -ne '\xFF\xFF\xFF\xFD\x0B'; cat /dev/zero) | socat stdio unix-connect:$SSH_AUTH_SOCK
bytes
\xFF\xFF\xFF\xFD\x0B (agent protocol message with overflowing length field 0xFFFFFFFD)
  • Trigger condition: attacker sends an agent protocol message with a 32-bit length field value of 0xFFFFFFFD (or any value that overflows when 4 is added), causing integer overflow in ssh_agent_channel_data and subsequent heap corruption. Monitor for abnormally large length fields (≥ 0xFFFFFFFC) in SSH agent forwarding socket traffic.
  • Exploitation requires SSH agent forwarding to be enabled and the attacker must be able to connect to the Unix-domain socket ($SSH_AUTH_SOCK) representing the forwarded agent connection. Detect unexpected processes connecting to SSH_AUTH_SOCK on the server side.
  • Affected versions: PuTTY 0.67 and earlier (present-in: 0.67). Flag use of PuTTY versions prior to 0.68 in environments with agent forwarding enabled.
  • The vulnerable function is ssh_agent_channel_data. A crash (heap corruption) of PuTTY following agent-forwarded session activity is a strong indicator of exploitation attempt.
  • ·SSH agent forwarding must be explicitly enabled by the user (off by default). The vulnerability is not exploitable unless agent forwarding is active.
  • ·An attacker who can already reach the forwarded agent socket can also generate signatures with stored private keys regardless of this CVE — existing OS-level protections on SSH_AUTH_SOCK are the primary defense layer.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.