The maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys.
The flaw has been assigned the CVE identifier CVE-2024-31497, with the discovery credited to researchers Fabian Bäumer and Marcus Brinkmann from the Ruhr University Bochum.
“The effect of the vulnerability is to compromise the private key,” the PuTTY project said in an advisory.
“An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for.”
However, in order to obtain the signatures, an attacker will have to compromise the server for which the key is used to authenticate to.
In a message posted on the Open Source Software Security (oss-sec) mailing list, Bäumer described the flaw as stemming from the generation of biased ECDSA cryptographic nonces, which could enable the recovery of the private key.
“The first 9 bits of each ECDSA nonce are zero,” Bäumer explained. “This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques.”
“These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.”
Besides impacting PuTTY, it also affects other products that incorporate a vulnerable version of the software –
FileZilla (3.24.1 – 3.66.5)
WinSCP (5.9.5 – 6.3.2)
TortoiseGit (2.4.0.2 – 2.15.0)
TortoiseSVN (1.10.0 – 1.14.6)
Following responsible disclosure, the issue has been addressed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. Users of TortoiseSVN are recommended to use Plink from the latest PuTTY 0.81 release when accessing an SVN repository via SSH until a patch becomes available.
Specifically, it has been resolved by switching to the RFC 6979 technique for all DSA and ECDSA key types, abandoning its earlier method of deriving the nonce using a deterministic approach that, while avoiding the need for a source of high-quality randomness, was susceptible to biased nonces when using P-521.
On top of that, ECDSA NIST-P521 keys used with any of the vulnerable components should be considered compromised and consequently revoked by removing them from ~/.ssh/authorized_keys files and their equivalents in other SSH servers.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.