CVE-2024-31497: PuTTY Exploit Endangers Data

The developers of PuTTY are issuing a warning about a critical vulnerability affecting versions 0.68 to 0.80, which could potentially allow an attacker to completely reconstruct private NIST-P521 keys.

The vulnerability, identified as CVE-2024-31497, arises from failures in generating cryptographic nonces for ECDSA (Elliptic Curve Digital Signature Algorithm), enabling the recovery of private keys. The discovery of this flaw is attributed to researchers Fabian Bömer and Markus Brinkmann from Ruhr University Bochum.

The first 9 bits of each ECDSA nonce are set to zero, allowing the complete recovery of the secret key from approximately 60 signatures using state-of-the-art methods.

An attacker in possession of several dozen signed messages and the public key would have sufficient data to recover the private key and forge signatures, potentially leading to unauthorized access to servers and services utilizing this key.

The issue has also affected other products integrated with the vulnerable versions of PuTTY:

• FileZilla (versions 3.24.1 – 3.66.5);
• WinSCP (versions 5.9.5 – 6.3.2);
• TortoiseGit (versions 2.4.0.2 – 2.15.0);
• TortoiseSVN (versions 1.10.0 – 1.14.6).

Following responsible disclosure, the issue was resolved in the newer versions of PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. The developers have employed RFC 6979 techniques for generating all types of DSA and ECDSA keys, abandoning the previous method.

Users of TortoiseSVN are advised to use Plink from the latest PuTTY release, version 0.81, for accessing SVN repositories via SSH until an update is released.

ECDSA NIST-P521 keys used in any of the vulnerable components should be considered compromised and immediately revoked, removing them from “~/.ssh/authorized_keys” and similar files on other SSH servers.