CVSS 8.1 CVE-2021-36367
CVSS 8.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Note: MITRE’s description is wrong. Please read note bellow.
PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user).
SSH “none” Authentication and PuTTY’s Behavior
The SSH authentication protocol (RFC 4252) includes a method called none. Its
purpose is to allow clients to query which authentication methods a server supports:
the server responds with a list of acceptable methods (publickey, password,
keyboard-interactive, etc.) along with an SSH_MSG_USERAUTH_FAILURE message.
However, the protocol also permits a server to respond with SSH_MSG_USERAUTH_SUCCESS
to a none request, granting immediate access. This is valid for servers that
intentionally allow anonymous or unauthenticated connections.
A Man-in-The-Middle attacker can exploit this: by accepting the none authentication
method, the attacker’s SSH server can establish a session with any connecting client
without needing to interact with the user at all. No password prompt, no key
confirmation — the session is established silently.
In PuTTY prior to 0.71, there was no indication to the user that this had occurred:
User opens PuTTY and connects to what they believe is their server
The MITM server accepts
noneauth — session establishedPuTTY shows the normal terminal window
The MITM can now present any prompt (a fake
sudorequest, a custom banner, akeyboard-interactiveprompt asking for a password) which the user has no reason to distrustWhatever the user enters goes to the attacker, who can replay it to the real server
Why This Attack is Invisible Before PuTTY 0.71
PuTTY versions before 0.71 display no warning and show no visual difference when a
server accepts none authentication. The terminal window opens and behaves exactly
as it would after a legitimate authentication. The user has no indication that they
never authenticated.
In normal authentication, PuTTY displays the authentication banner and prompts
for credentials. When none auth succeeds, these steps are skipped — but PuTTY
< 0.71 does not make this skip visible.
The Trust Sigil System (PuTTY 0.71 – 0.75)
PuTTY 0.71 introduced the trust sigil system as a partial mitigation: a visual
marker ((!) or a colored indicator in the title bar) is shown when the server
accepted the connection without requiring substantive authentication. The purpose is
to warn the user that anything displayed in the terminal before the sigil is trusted
output, while the sigil marks the boundary where PuTTY’s own indication ends.
However, 0.71–0.75 do not actively prevent the attack:
The trust sigil is displayed, but PuTTY still connects
A user who does not know what the sigil means (or does not notice it) is still vulnerable
Nothing stops a user from typing credentials into a subsequent prompt
Version Summary
PuTTY version |
Behavior |
|---|---|
< 0.71 |
|
0.71 – 0.75 |
Trust sigil displayed. Attack works if user ignores or doesn’t understand the sigil. |
≥ 0.76 |
|
Note
Comment from Simon Tatham:
CVE-2021-36367 refers to this new option as a fix for a vulnerability, and describes the vulnerability as “PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response”. With respect to the author of that text, we consider that to be misleading. It is perfectly legal for the server to waive authentication, and actually useful in some legitimate use cases; it is perfectly legal for PuTTY to proceed with the connection regardless; and the trust sigil system introduced in 0.71 already defends against every spoofing/phishing attack we know of that a server could attempt by doing this unexpectedly. This new option is a UI improvement, but not in and of itself a vital vulnerability fix.
Version Discrepancy
NVD and MITRE list this vulnerability as affecting “PuTTY through 0.75”, while the affected version here is listed as “PuTTY < 0.71”. This discrepancy is intentional and follows from the version summary above:
< 0.71: The attack is completely invisible — no indicator shown. This is the unambiguous vulnerable range.
0.71 – 0.75: The attack works, but a trust sigil is shown. Whether this counts as “affected” depends on whether one considers a visible-but-ignorable warning sufficient mitigation. Simon Tatham considers 0.71+ already mitigated (see note above); NVD counts through 0.75.
≥ 0.76: Active prevention is available via
-o RejectTrivialAuth=yes.
PoC Exploit
The trivial authentication phishing attack is described in Trivial Authentication.
Vendor Credit
Note
AUT-milCERT recommended this enhancement and contributed substantially to its implementation.
Source: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/reject-trivial-auth.html