CVE-2019-9898 - Use of a Broken or Risky Cryptographic Algorithm

Severity

75%

Complexity

99%

Confidentiality

106%

Potential recycling of random numbers used in cryptography exists within PuTTY before 0.71.

Potential recycling of random numbers used in cryptography exists within PuTTY before 0.71.

CVSS 3.0 Base Score 9.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Demo Examples

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

These code examples use the Data Encryption Standard (DES).


               
EVP_des_ecb();

               
des.initEncrypt(key2);

               
}
return $encryptedPassword;

Once considered a strong algorithm, DES now regarded as insufficient for many applications. It has been replaced by Advanced Encryption Standard (AES).

Overview

First reported 6 years ago

2019-03-21 16:01:00

Last updated 6 years ago

2019-04-26 14:11:00

Affected Software

PuTTY

Fedora 28

28

Fedora 29

29

Debian Linux 8.0 (Jessie)

8.0

Debian Linux 9.0

9.0

openSUSE Leap 15.0

15.0

References

openSUSE-SU-2019:1113

Mailing List, Third Party Advisory

openSUSE-SU-2019:1123

Mailing List, Third Party Advisory

107523

Third Party Advisory, VDB Entry

[debian-lts-announce] 20190424 [SECURITY] [DLA 1763-1] putty security update

Mailing List, Third Party Advisory

FEDORA-2019-9e1a1cd634

Mailing List, Release Notes, Third Party Advisory

FEDORA-2019-5776dfe300

Mailing List, Release Notes, Third Party Advisory

20190403 [SECURITY] [DSA 4423-1] putty security update

Mailing List, Third Party Advisory

https://security.netapp.com/advisory/ntap-20190329-0002/

Broken Link

https://security.netapp.com/advisory/ntap-20190401-0002/

Patch, Third Party Advisory

https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

Third Party Advisory

DSA-4423

Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.