PuTTY vulnerability vuln-windows-remote-title-dos

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Rapid changes of window title can DoS Windows GUI
class: vulnerability: This is a security vulnerability.
difficulty: tricky: Needs many tuits.
priority: high: This should be fixed in the next release.
present-in: 0.74
fixed-in: d74308e90e3813af664f91ef8c9d1a0644aa9544 (0.75)

In the Windows version of PuTTY (and PuTTYtel), if the server sent a rapid series of terminal escape sequences that repeatedly changed the title of the terminal window, the Windows GUI could become unresponsive, because it couldn't keep up with all the title changes.

We think this is primarily a bug in Windows itself. (If it can't handle window title changes that quickly, it should apply a rate limit, or else a buggy local program can cause the same problem, by accident or on purpose.)

But PuTTY's feature of allowing server-controlled title changes had the effect of exporting that local bug over the network, and turning it into a remotely triggerable denial of service: it permits a server, or a server-side application with the ability to write to your terminal device, to DoS the client machine's Windows GUI.

In 0.75, the terminal code has been reworked so that title changes are buffered within PuTTY itself, and a rate limit is applied before they are passed on to the Windows API. So if the server changes the window title 10000 times in a second, only 50 of the title changes will actually get as far as the Windows API; the rest will just keep rewriting a buffer inside PuTTY's terminal emulation code.

For previous versions of PuTTY, an easy workaround is to disable the feature that allows the server to set the window title: on the Features panel, tick the box "Disable remote-controlled window title changing".

This vulnerability was discovered by Eviatar Gerzi of CyberArk Labs. It has been assigned CVE-2021-33500.

If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2021-06-03 20:09:48 +0100)