CVE-2021-47759
📋 TL;DR
MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability where local attackers can view SSH connection passwords through Windows PowerShell process listing. This affects users running MTPutty on Windows systems where attackers have local access to the machine.
💻 Affected Systems
- MTPutty
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with local access can steal SSH credentials, potentially gaining unauthorized access to remote systems and sensitive data.
Likely Case
Malicious users or malware on the same Windows system can harvest SSH passwords for lateral movement or credential theft.
If Mitigated
With proper access controls and monitoring, impact is limited to credential exposure without actual compromise of remote systems.
🎯 Exploit Status
Exploitation requires local access to the Windows system. The PowerShell command to retrieve credentials is publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://ttyplus.com/multi-tabbed-putty/
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available or using alternative SSH clients.
🔧 Temporary Workarounds
Use alternative SSH client
windowsReplace MTPutty with a secure SSH client that doesn't expose credentials in process listings.
Restrict local access
windowsImplement strict access controls to prevent unauthorized local users from accessing systems running MTPutty.
🧯 If You Can't Patch
- Monitor for suspicious PowerShell commands targeting MTPutty processes
- Implement credential rotation for SSH accounts used with MTPutty
🔍 How to Verify
Check if Vulnerable:
Run PowerShell command: Get-WmiObject Win32_Process | Where-Object {$_.CommandLine -like '*MTPutty*'} | Select-Object CommandLineCheck Version:
Check MTPutty version in Help > About menu or program propertiesVerify Fix Applied:
Check if MTPutty is no longer installed or if credentials are no longer visible in process listings.📡 Detection & Monitoring
Log Indicators:
- PowerShell execution logs showing process enumeration commands
- Security logs showing unauthorized access attempts
Network Indicators:
- Unusual SSH connections from systems where MTPutty was running
SIEM Query:
EventID=4688 OR EventID=4104 WHERE CommandLine LIKE '%Get-WmiObject%' AND CommandLine LIKE '%MTPutty%'