Protect yourself against future threats.
=========================================================================== AUSCERT Security Bulletin ASB-2024.0072 Critical PuTTY Vulnerability 17 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PuTTY Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2024-31497 Comment: CVSS (Max): None available when published OVERVIEW PuTTY is an SSH and telnet client for the Windows platform. A vulnerability (CVE-2024-31497) has recently been reported in PuTTY (versions 0.68 to 0.80), which could allow attackers to recover NIST P-521 client keys due to the "heavily biased" ECDSA nonces (random values used once) [2]. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents. The nonce generation for other curves is slightly biased as well. However, the bias is negligible and far from enough to perform lattice-based key recovery attacks (not considering cryptanalytical advancements)[1]. IMPACT All NIST P-521 client keys used with PuTTY(0.68 - 0.80) must be considered compromised, given that the attack can be carried out even after the root cause has been fixed in the source code (assuming that ~60 pre-patch signatures are available to an adversary)[1]. The following (not necessarily complete) list of products bundle an affected PuTTY version and are therefore vulnerable as well [2]: - FileZilla 3.24.1 - 3.66.5 - WinSCP 5.9.5 - 6.3.2 - TortoiseGit 2.4.0.2 - 2.15.0 - TortoiseSVN 1.10.0 - 1.14.6 MITIGATION The PuTTY maintainers recommend removing the compromised public key from all OpenSSH authorized_keys files, as well as from equivalent locations in other SSH servers. This action ensures that any signatures made with the compromised key are no longer valid. Following this, users should generate a new key pair to replace the compromised one[3]. REFERENCES [1] Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client https://seclists.org/oss-sec/2024/q2/122 [2] PuTTY vulnerability can be exploited to recover private keys (CVE-2024-31497) https://www.helpnetsecurity.com/2024/04/16/cve-2024-31497/ [3] PuTTY vulnerability vuln-p521-bias https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================