Critical PuTTY Client Vulnerability Lets Attackers Recover Private Keys
A severe vulnerability has been discovered in the PuTTY client and related components, allowing attackers to fully recover NIST P-521 private keys.
The PuTTY client generates heavily biased ECDSA nonces when using the NIST P-521 elliptic curve, causing the vulnerability tracked as CVE-2024-31497.
PuTTY Client Vulnerability
The PuTTY client and all related components, including FileZilla, WinSCP, TortoiseGit, and TortoiseSVN, generate ECDSA nonces with the first 9 bits set to zero when using the NIST P-521 elliptic curve.
This significant bias in the nonce generation allows attackers to recover the full private key after observing roughly 60 valid ECDSA signatures from the same key.
The attack works by leveraging state-of-the-art lattice-based techniques to recover the private key from the biased nonces.
An attacker can either harvest the signatures from a malicious server (since the signatures are transmitted over the secure SSH channel) or from any other source, such as signed git commits.
“All NIST P-521 client keys used with PuTTY must be considered compromised, given that the attack can be carried out even after the root cause has been fixed in the source code (assuming that ~60 pre-patch signatures are available to an adversary),” the advisory states.
Impact and Affected Products
The nonce bias vulnerability allows for full secret key recovery of NIST P-521 keys after an attacker has observed approximately 60 valid ECDSA signatures generated by any PuTTY component under the same key.
This means that the attacker can forge any data signed with these compromised keys, such as git commits.
The following PuTTY-related products are affected by this vulnerability:
- FileZilla 3.24.1 – 3.66.5
- WinSCP 5.9.5 – 6.3.2
- TortoiseGit 2.4.0.2 – 2.15.0
- TortoiseSVN 1.10.0 – 1.14.6[1]
Mitigations
The vulnerability has been fixed in the latest versions of the affected products:
- PuTTY 0.81
- FileZilla 3.67.0
- WinSCP 6.3.3
- TortoiseGit 2.15.1
- TortoiseSVN 1.14.7
Users are strongly advised to update to these patched versions as soon as possible to mitigate the risk of private key compromise.
Source: https://bit.ly/3uS5LZ2