The developers of the PuTTY Secure Shell (SSH) and Telnet client have issued a warning about a critical vulnerability affecting versions 0.68 through 0.80. This flaw poses a significant risk, allowing attackers to potentially recover NIST P-521 (ecdsa-sha2-nistp521) private keys, compromising the security of authenticated sessions.
Identified as CVE-2024-31497, the vulnerability was discovered by researchers Fabian Bäumer and Marcus Brinkmann at Ruhr University Bochum. According to the advisory from the PuTTY project, “The effect of the vulnerability is to compromise the private key.” An attacker with access to a limited number of signed messages, alongside the public key, can reconstruct the private key. This capability enables them to replicate signatures, granting unauthorized access to any systems protected by that key.
To exploit this vulnerability, an attacker would need to have compromised the server where the private key is utilized for authentication, highlighting the importance of server security. In a message on the Open Source Software Security (oss-sec) mailing list, Bäumer elaborated on the nature of the flaw, attributing it to the generation of biased ECDSA cryptographic nonces, which facilitates the recovery of the private key.
Bäumer explained, “The first 9 bits of each ECDSA nonce are zero,” allowing for the effective reconstruction of the secret key after analyzing roughly 60 signatures. These signatures can be extracted by a malicious server or through other means, such as signed git commits using forwarded agents.
In addition to PuTTY, several other applications that utilize the affected version of the software are at risk. This includes FileZilla (versions 3.24.1 to 3.66.5), WinSCP (5.9.5 to 6.3.2), TortoiseGit (2.4.0.2 to 2.15.0), and TortoiseSVN (1.10.0 to 1.14.6). Following responsible disclosure, patches have been released in updates for these applications, with users advised to ensure they are running the latest versions.
The vulnerability has been resolved in PuTTY 0.81 and other software by adopting the RFC 6979 technique for all DSA and ECDSA key types, replacing the previous nonce generation method that was vulnerable to biases when using P-521. This change is significant, as the prior approach was implemented during a period when Microsoft Windows lacked effective support for a cryptographic random number generator.
Given the severity of this vulnerability, ECDSA NIST-P521 keys utilized within any of the affected applications should be deemed compromised and duly revoked. Users are encouraged to remove these keys from their SSH authorized_keys files and similar configurations on affected servers.
For businesses leveraging these tools, it’s essential to remain vigilant against potential exploits that could stem from this vulnerability. The tactics employed by adversaries could include initial access through server compromise, persistence via key recovery, and even privilege escalation if successful in maintaining unauthorized access.
Ongoing awareness and proactive security measures are critical as the landscape of cybersecurity threats continues to evolve. Following these incidents, businesses must ensure they are equipped with the necessary defenses to safeguard against unauthorized access and data breaches.
