CVE-2019-17067 – This vulnerability in PuTTY on Windows allows a... (How to Fix)

Q: What is the severity of CVE-2019-17067?

CVE-2019-17067 has a CVSS score of 9.8 (CRITICAL). This vulnerability in PuTTY on Windows allows attackers to hijack incoming SSH port-forwarding connections by listening on the same port. Attackers can intercept or steal sensitive data transmitted through forwarded connections. Only Windows users running PuTTY versions before 0.73 with port forwarding enabled are affected.

📋 TL;DR

This vulnerability in PuTTY on Windows allows attackers to hijack incoming SSH port-forwarding connections by listening on the same port. Attackers can intercept or steal sensitive data transmitted through forwarded connections. Only Windows users running PuTTY versions before 0.73 with port forwarding enabled are affected.

💻 Affected Systems

Products:

PuTTY

Versions: All versions before 0.73

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only affects Windows versions of PuTTY; Linux/Unix versions are not vulnerable. Requires port forwarding to be enabled and in use.

📦 What is this software?

Putty by Putty

View all CVEs affecting Putty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept SSH port-forwarded connections containing sensitive data like credentials, database queries, or internal network traffic, leading to data theft, lateral movement, or complete system compromise.

🟠

Likely Case

Attackers on the same Windows machine steal forwarded connections to internal services, potentially capturing authentication tokens, session data, or sensitive information from forwarded ports.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to potential data leakage from intercepted forwarded connections on compromised endpoints.

🌐 Internet-Facing: LOW - The vulnerability requires local access to the Windows machine running PuTTY; internet-facing systems are not directly vulnerable unless attackers first compromise the endpoint.

🏢 Internal Only: MEDIUM - Internal attackers or malware on the same Windows machine can exploit this to intercept forwarded connections to internal services.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the Windows machine running vulnerable PuTTY. Attackers can use simple socket binding techniques to hijack the same port.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.73 and later

Vendor Advisory: https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html

Restart Required: No

Instructions:

1. Download PuTTY 0.73 or later from official website. 2. Uninstall old version. 3. Install new version. 4. Verify version with 'putty -V' command.

🔧 Temporary Workarounds

Disable Port Forwarding

windows

Disable all port forwarding in PuTTY sessions to prevent exploitation.

In PuTTY Configuration: Connection > SSH > Tunnels > Remove all forwarded ports

Use Alternative SSH Client

windows

Switch to a non-vulnerable SSH client like OpenSSH for Windows or WSL.

🧯 If You Can't Patch

Restrict local user permissions to prevent unauthorized users from running applications on Windows machines.
Implement network monitoring for unusual local port binding activity on Windows endpoints.

🔍 How to Verify

Check if Vulnerable:

Check PuTTY version: Run 'putty -V' or check About dialog. If version is below 0.73 and running on Windows, system is vulnerable.

Check Version:

putty -V

Verify Fix Applied:

Confirm PuTTY version is 0.73 or higher using 'putty -V' command. Test port forwarding functionality to ensure it works without allowing port hijacking.

📡 Detection & Monitoring

Log Indicators:

Multiple processes binding to same local port in Windows event logs
Failed SSH port forwarding connections in PuTTY logs

Network Indicators:

Unexpected local port listening on Windows machines with PuTTY running
SSH connection attempts to forwarded ports from unexpected sources

SIEM Query:

Process Creation where Image contains 'putty.exe' AND CommandLine contains '-L' OR '-R' AND Version < 0.73

📊 Metadata

CVE ID: CVE-2019-17067

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-770

Published: October 1, 2019

Last Updated: November 21, 2024

🔗 References

https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20191127-0003/
https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20191127-0003/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17067, you might also want to check these: