CVE-2021-36367
📋 TL;DR
This vulnerability in PuTTY allows an attacker-controlled SSH server to present a spoofed authentication prompt after establishing a connection, even without proper authentication. This could capture user credentials which could then be used for unauthorized access. All PuTTY users connecting to untrusted SSH servers are affected.
💻 Affected Systems
- PuTTY
📦 What is this software?
Putty by Putty
⚠️ Risk & Real-World Impact
Worst Case
Attackers capture valid SSH credentials and use them to gain unauthorized access to systems, potentially leading to data theft, system compromise, or lateral movement.
Likely Case
Users connecting to malicious or compromised SSH servers have their credentials stolen, leading to unauthorized access to the systems those credentials protect.
If Mitigated
With proper network controls and user awareness, impact is limited to credential exposure without successful follow-on attacks.
🎯 Exploit Status
Exploitation requires attacker to control the SSH server or intercept connections to legitimate servers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.76 and later
Vendor Advisory: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
Restart Required: No
Instructions:
1. Download PuTTY 0.76 or later from official website. 2. Uninstall old version. 3. Install new version. 4. Verify version with 'putty -V' command.
🔧 Temporary Workarounds
Use alternative SSH clients
allTemporarily switch to other SSH clients like OpenSSH, SecureCRT, or MobaXterm until PuTTY is patched.
Restrict SSH connections
allOnly connect to trusted SSH servers with verified certificates and known host keys.
🧯 If You Can't Patch
- Implement network segmentation to restrict SSH traffic to trusted servers only
- Use multi-factor authentication for SSH access to reduce impact of credential theft
🔍 How to Verify
Check if Vulnerable:
Check PuTTY version: if version is 0.75 or earlier, it is vulnerable.Check Version:
putty -VVerify Fix Applied:
Verify PuTTY version is 0.76 or later using 'putty -V' command.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication prompts from SSH servers
- Multiple failed authentication attempts from single source
Network Indicators:
- SSH connections to unknown or suspicious servers
- Unusual SSH traffic patterns
SIEM Query:
source="putty*" AND (event_description="authentication prompt" OR event_description="credential request")🔗 References
- https://git.tartarus.org/?p=simon/putty.git%3Ba=commit%3Bh=1dc5659aa62848f0aeb5de7bd3839fecc7debefa
- https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html
- https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
- https://www.debian.org/security/2023/dsa-5588
- https://git.tartarus.org/?p=simon/putty.git%3Ba=commit%3Bh=1dc5659aa62848f0aeb5de7bd3839fecc7debefa
- https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html
- https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
- https://www.debian.org/security/2023/dsa-5588
