The developers of PuTTY have released an update to patch a critical vulnerability that can be exploited to recover secret keys.
PuTTY is an open source client program for SSH, Telnet, and other network protocols, enabling connections to remote servers and file transfers.
Two researchers from Ruhr University Bochum in Germany discovered that the client and related components “generate heavily biased ECDSA nonces in the case of NIST P-521”, which enables full secret key recovery. The vulnerability is tracked as CVE-2024-31497.
“The nonce bias allows for full secret key recovery of NIST P-521 keys after a malicious actor has seen roughly 60 valid ECDSA signatures generated by any PuTTY component under the same key,” the researchers explained.
They noted that the required signatures can be obtained by a malicious server or from other sources, such as signed git commits.
“All NIST P-521 client keys used with PuTTY must be considered compromised, given that the attack can be carried out even after the root cause has been fixed in the source code (assuming that ~60 pre-patch signatures are available to an adversary),” the researchers warned.
PuTTY developers have provided an explanation on how a threat actor could recover a key and what they could use it for.
“An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for,” they explained. “To obtain these signatures, an attacker need only briefly compromise any server you use the key to authenticate to, or momentarily gain access to a copy of Pageant holding the key.”
PuTTY versions 0.68 through 0.80 are affected, and PuTTY 0.81 fixes the vulnerability. Several products that rely on an affected PuTTY version are vulnerable as well, including FileZilla, WinSCP, TortoiseGit and TortoiseSVN. Patches or mitigations are available for these products as well.
Affected keys must be revoked immediately, PuTTY developers urged users.
An entry for CVE-2024-31497 in NIST’s National Vulnerability Database warns that the vulnerability could allow supply chain attacks.
*updated with information from the NIST NVD advisory
Related: Multiple Vulnerabilities Patched in PuTTY and LibSSH2
Related: JumpCloud Says All API Keys Invalidated to Protect Customers
Related: Tech Giants Form Post-Quantum Cryptography Alliance