Bug 2275183 (CVE-2024-31497) - CVE-2024-31497 putty: secret key recovery of NIST P-521 private keys through biased ECDSA nonces in putty client
Summary: CVE-2024-31497 putty: secret key recovery of NIST P-521 private keys through ...
Status: NEW
Alias: CVE-2024-31497
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2275186 2275184 2275185 2275187
TreeView+ depends on / blocked
Reported: 2024-04-15 21:22 UTC by Robb Gatica
Modified: 2024-04-15 21:30 UTC (History)
0 users

Fixed In Version: PuTTY 0.81, FileZilla 3.67.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Robb Gatica 2024-04-15 21:22:04 UTC
In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. One scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. Because SSH is sometimes used to authenticate to Git services, it is possible that this vulnerability could be leveraged for supply-chain attacks on software maintained in Git. It is also conceivable that signed messages from PuTTY or Pageant are readable by adversaries more easily in other scenarios, but none have yet been disclosed.

### Affected Products

- PuTTY 0.68 - 0.80

The following (not necessarily complete) list of products bundle an 
affected PuTTY version and are therefore vulnerable as well:

- FileZilla 3.24.1 - 3.66.5
- WinSCP 5.9.5 - 6.3.2
- TortoiseGit - 2.15.0
- TortoiseSVN 1.10.0 - 1.14.6

### Impact

The nonce bias allows for full secret key recovery of NIST P-521 keys 
after a malicious actor has seen roughly 60 valid ECDSA signatures 
generated by any PuTTY component under the same key. Luckily, client 
signatures are transmitted within the secure channel of SSH, requiring a 
malicious server to acquire such signatures. If the key has been used to 
sign arbitrary data (e.g., git commits by forwarding Pageant to a 
development host), the publicly available signatures (e.g., on GitHub) 
can be used as well.

All NIST P-521 client keys used with PuTTY must be considered 
compromised, given that the attack can be carried out even after the 
root cause has been fixed in the source code (assuming that ~60 
pre-patch signatures are available to an adversary).

### Mitigations

This vulnerability has been fixed in PuTTY 0.81, FileZilla 3.67.0, 
WinSCP 6.3.3, and TortoiseGit Users of TortoiseSVN are advised 
to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release 
when accessing a SVN repository via SSH until a patch becomes available.

ECDSA NIST-P521 keys used with any vulnerable product / component should 
be considered compromised and consequently revoked by removing them from 
authorized_keys, GitHub, ...


Comment 1 Robb Gatica 2024-04-15 21:22:42 UTC
Created filezilla tracking bugs for this issue:

Affects: epel-all [bug 2275186]
Affects: fedora-all [bug 2275187]

Created putty tracking bugs for this issue:

Affects: epel-all [bug 2275184]
Affects: fedora-all [bug 2275185]

Note You need to log in before you can comment on or make changes to this bug.