CVE-2021-36367

CVE-2021-36367
8.1 CVSS
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N https://nvd.nist.gov/vuln/detail/CVE-2021-36367

integrated in SSH-MITM server

Note: MITRE's description is wrong. Please read note bellow.
PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user).

Affected Software:
  • PuTTY < 0.71

Note

Comment from Simon Tatham:

CVE-2021-36367 refers to this new option as a fix for a vulnerability, and describes the vulnerability as “PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response”. With respect to the author of that text, we consider that to be misleading. It is perfectly legal for the server to waive authentication, and actually useful in some legitimate use cases; it is perfectly legal for PuTTY to proceed with the connection regardless; and the trust sigil system introduced in 0.71 already defends against every spoofing attack we know of that a server could attempt by doing this unexpectedly. This new option is a UI improvement, but not in and of itself a vital vulnerability fix.

References