Protect yourself against future threats.
===========================================================================
AUSCERT Security Bulletin
ASB-2024.0072
Critical PuTTY Vulnerability
17 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PuTTY
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2024-31497
Comment: CVSS (Max): None available when published
OVERVIEW
PuTTY is an SSH and telnet client for the Windows platform.
A vulnerability (CVE-2024-31497) has recently been reported in
PuTTY (versions 0.68 to 0.80), which could allow attackers to
recover NIST P-521 client keys due to the "heavily biased" ECDSA
nonces (random values used once) [2]. To be more precise, the first
9 bits of each ECDSA nonce are zero. This allows for full secret
key recovery in roughly 60 signatures by using state-of-the-art
techniques. These signatures can either be harvested by a malicious
server (man-in-the-middle attacks are not possible given that
clients do not transmit their signature in the clear) or from any
other source, e.g. signed git commits through forwarded agents. The
nonce generation for other curves is slightly biased as well.
However, the bias is negligible and far from enough to perform
lattice-based key recovery attacks (not considering cryptanalytical
advancements)[1].
IMPACT
All NIST P-521 client keys used with PuTTY(0.68 - 0.80) must be
considered compromised, given that the attack can be carried out
even after the root cause has been fixed in the source code
(assuming that ~60 pre-patch signatures are available to an
adversary)[1].
The following (not necessarily complete) list of products bundle an
affected PuTTY version and are therefore vulnerable as well [2]:
- FileZilla 3.24.1 - 3.66.5
- WinSCP 5.9.5 - 6.3.2
- TortoiseGit 2.4.0.2 - 2.15.0
- TortoiseSVN 1.10.0 - 1.14.6
MITIGATION
The PuTTY maintainers recommend removing the compromised public key
from all OpenSSH authorized_keys files, as well as from equivalent
locations in other SSH servers. This action ensures that any
signatures made with the compromised key are no longer valid.
Following this, users should generate a new key pair to replace the
compromised one[3].
REFERENCES
[1] Secret Key Recovery of NIST P-521 Private Keys Through Biased
ECDSA Nonces in PuTTY Client
https://seclists.org/oss-sec/2024/q2/122
[2] PuTTY vulnerability can be exploited to recover private keys
(CVE-2024-31497)
https://www.helpnetsecurity.com/2024/04/16/cve-2024-31497/
[3] PuTTY vulnerability vuln-p521-bias
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================