Vulnerability CVE-2006-7162

Vulnerability Name:

CVE-2006-7162 (CCN-38575)

Assigned:

2006-11-28

Published:

2006-11-28

Updated:

2008-09-05

Summary:

PuTTY 0.59 and earlier uses weak file permissions for (1) ppk files containing private keys generated by puttygen and (2) session logs created by putty, which allows local users to gain sensitive information by reading these files.

CVSS v3 Severity:

5.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

1.9 Low (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

3.6 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N)
3.1 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Other

References:

Source: CCN
Type: Debian Bug report logs - #400804
putty-tools: puttygen can create world-readable private keys

Source: CONFIRM
Type: Patch, Vendor Advisory
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=400804

Source: MITRE
Type: CNA
CVE-2006-7162

Source: CCN
Type: SA24381
PuTTY "puttygen" Insecure File Permissions

Source: SECUNIA
Type: Vendor Advisory
24381

Source: CCN
Type: PuTTY Web page
PuTTY Download Page

Source: CCN
Type: OSVDB ID: 33856
PuTTY on Debian Linux puttygen ppk File Creation Permission Weakness

Source: CCN
Type: BID-22809
PuTTY Puttygen Insecure Private Key File Permissions Vulnerability

Source: XF
Type: UNKNOWN
putty-puttygen-weak-security(38575)

Vulnerable Configuration:

Configuration 1:

cpe:/a:putty:putty:*:*:*:*:*:*:*:* (Version <= 0.59)

Denotes that component is vulnerable

BACK