The maintainers of the PuTTY Secure Shell (SSH) and Telnet clients are alerting users of a critical vulnerability affecting versions 0.68 to 0.80 that can be exploited to achieve NIST P-521 (ecdsa-sha2-nistp521) private key integrity. recover.
This flaw has been assigned a CVE identifier CVE-2024-31497The discovery is attributed to researchers Fabian Bäumer and Marcus Brinkmann of Ruhr-Universität Bochum.
“The impact of this vulnerability is the compromise of private keys,” the PuTTY project said in a report.
“An attacker with dozens of signed messages and public keys would have enough information to recover the private keys and then forge the signatures as if they came from you, allowing them to (for example) log into any server you use.”
However, in order to obtain the signature, the attacker would have to compromise the server that uses the key for authentication.
In a message posted on the Open Source Software Security (oss-sec) mailing list, Bäumer described the flaw as stemming from biased generation of ECDSA cryptographic random numbers that enable private key recovery.
“The first nine digits of every ECDSA random number are zeros,” Bäumer explains. “This allows the recovery of the complete key in approximately 60 signatures using state-of-the-art techniques.”
“These signatures can be obtained by a malicious server (man-in-the-middle attacks are not possible since the client does not transmit signatures in clear text), or from any other source, such as a git commit signed by a forward proxy.”
In addition to affecting PuTTY, it also affects other products that contain vulnerable versions of the software –
- FileZilla (3.24.1 – 3.66.5)
- WinSCP (5.9.5 – 6.3.2)
- Turtle Git (2.4.0.2 – 2.15.0)
- Turtle SVN (1.10.0 – 1.14.6)
Following responsible disclosure, the issue has been resolved in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. TortoiseSVN users are recommended to use Plink in the latest PuTTY 0.81 version when accessing SVN repositories via SSH until a patch is available.
Specifically, this issue has been addressed by switching to RFC 6979 technology for all DSA and ECDSA key types, abandoning the earlier approach of using deterministic methods to derive random numbers, which avoids the need for high-quality sources of randomness. Needed, but easily influenced.
Most importantly, ECDSA NIST-P521 keys used with any vulnerable components should be considered compromised and therefore removed by deleting them from the authorized_keys file and their equivalent files in other SSH servers to undo them.
