A vulnerability (CVE-2024-31497) in PuTTY, a popular SSH and Telnet client, could allow attackers to recover NIST P-521 client keys due to the “heavily biased” ECDSA nonces (random values used once), researchers have discovered.
“To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques,” Fabian Bäumer shared on the oss-sec mailing list.
According to PuTTY maintainers, 521-bit ECDSA is the only affected key type. “Other sizes of ECDSA, and other key algorithms, are unaffected. In particular, Ed25519 is not affected,” they said.
What’s the big deal about CVE-2024-31497?
The vulnerability was discovered by Bäumer and Marcus Brinkmann, researchers with Ruhr-Universität Bochum. (Bäumer and Brinkmann were also behind last year’s discovery of Terrapin, a prefix truncation attack targeting the SSH protocol.)
CVE-2024-31497 allows an attacker that knows the public key and around 60 valid ECDSA signatures generated by any PuTTY component under the same key to derive the private key, which they can then use to log into any SSH servers that key is used for.
To obtain these signatures, an attacker may compromise a server the user repeatedly authenticates to.
“If the key has been used to sign arbitrary data (e.g., git commits by forwarding Pageant [an SSH authentication agent for PuTTY] to a development host), the publicly available signatures (e.g., on GitHub) can be used as well,” Bäumer noted.
The vulnerability affects PuTTY v0.68 to 0.80, as well as other software that come bundled with an affected PuTTY version:
- FileZilla 3.24.1 – 3.66.5
- WinSCP 5.9.5 – 6.3.2
- TortoiseGit 2.4.0.2 – 2.15.0
- TortoiseSVN 1.10.0 – 1.14.6
What to do?
The vulnerability has been fixed in PuTTY v0.81 by switching to the RFC 6979 technique for DSA nonce generation, and the maintainers explained why the switch wasn’t made earlier.
But, as Bäumer pointed out, all NIST P-521 client keys used with PuTTY must be considered compromised and should be revoked.
“Remove the old public key from all OpenSSH authorized_keys files, and the equivalent in other SSH servers, so that a signature from the compromised key has no value any more. Then generate a new key pair to replace it,” PuTTY maintainers advised.
CVE-2024-31497 has also been fixed in FileZilla v3.67.0, WinSCP v6.3.3, and TortoiseGit v2.15.0.1. TortoiseSVN users should configure it to use Plink from PuTTY v0.81 when accessing a SVN repository via SSH until a patch becomes available.