Critical Security Flaw in PuTTY Affects Multiple Versions: Users Urged to Update Immediately
Charles M. Walls | April 16, 2024 | Views: 140
The popular SSH and Telnet client PuTTY has announced a critical security flaw affecting versions 0.68 to 0.80. This vulnerability could allow attackers to completely retrieve private NIST P-521 (ecdsa-sha2-nistp521) keys, posing a serious threat to user data. Identified as CVE-2024-31497, this vulnerability was discovered by Fabian Bäumer and Marcus Brinkmann of Ruhr University Bochum.
In a recent advisory, the PuTTY team explained that attackers could potentially forge signatures to access servers by exploiting this flaw. Specifically, if an attacker acquires several dozen signed messages and the corresponding public key, they can deduce the private key. This would enable them to impersonate the key's rightful owner, gaining unauthorized access to servers where this key is used.
The vulnerability originates from how ECDSA cryptographic nonces are generated, which are biased in a way that makes private key recovery feasible. "The first 9 bits of each ECDSA nonce are consistently zero, which significantly simplifies the process of recovering the full private key using advanced techniques, requiring about 60 signatures," Bäumer detailed on the Open Source Software Security (oss-sec) mailing list.
This security flaw is not limited to PuTTY alone but also affects other software that incorporates similar versions of this client, including FileZilla (versions 3.24.1 to 3.66.5), WinSCP (versions 5.9.5 to 6.3.2), TortoiseGit (versions 2.4.0.2 to 2.15.0), and TortoiseSVN (versions 1.10.0 to 1.14.6). The developers have patched this issue in the latest updates of these applications, and users are advised to upgrade immediately to secure their data.
Specific remedial actions include adopting the RFC 6979 technique for generating DSA and ECDSA nonces across all affected products. This method replaces the previously used deterministic approach that, while reducing randomness requirements, made the nonces predictably biased when using the P-521 curve. Furthermore, all NIST-P521 ECDSA keys previously used with these vulnerable software versions should be considered compromised. Users are urged to revoke these keys by removing them from ~/.ssh/authorized_keys and similar files on other SSH servers.
As software developers and users continue to navigate the complexities of internet security, staying informed and responsive to updates is crucial in protecting digital infrastructure and sensitive information from emerging threats.