Users are being notified by the developers of the PuTTY Secure Shell (SSH) and Telnet client about a serious flaw that affects versions 0.68 through 0.80 and has the potential to be used to fully recover NIST P-521 (ecdsa-sha2-nistp521) private keys.

The vulnerability has been designated CVE-2024-31497, and researchers Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum are credited with discovering it.

Cyber Security Programs: Your First Step Towards a Secure Future

A warning from the PuTTY project stated, “The vulnerability has the effect of compromising the private key.”

“An attacker in possession of a few dozen signed messages, and the public key has enough information to recover the private key and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for.”

However, an attacker will need to gain access to the server to which the key is used to authenticate in order to obtain the signatures.

Bäumer stated that the vulnerability could allow for the recovery of the private key, which was caused by the production of biased ECDSA cryptographic nonces in a message published on the Open Source Software Security (oss-sec) mailing list.

According to Bäumer, “each ECDSA nonce has nine zero bits in it.” “This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques.”

“These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.”

It affects not just PuTTY but also other products that use a susceptible software version.

• FileZilla versions 3.24.1-366.5,
• 6.3.2 – 5.9.5 of WinSCP
• TortoiseSVN (1.10.0 – 1.14.6) TortoiseGit (2.4.0.2 – 2.15.0)

The problem has been fixed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1 after responsible disclosure. Until a patch is released, TortoiseSVN users are advised to utilize Plink from the most recent PuTTY 0.81 release when logging into an SVN repository over SSH.

It was specifically resolved by abandoning its previous method of deriving the nonce using a deterministic approach that, while avoiding the need for a source of high-quality randomness, was prone to biased nonces when using P-521. Instead, all DSA and ECDSA key types now use the RFC 6979 technique.

The inventors of PuTTY said that this earlier method was developed when Microsoft Windows did not come with built-in support for a cryptographic random number generator.

When ECDSA NIST-P521 keys are utilized in conjunction with any of the susceptible elements, they should be regarded as compromised and removed from ~/.ssh/authorized_keys files, as well as their corresponding files in other SSH servers.

SOURCE