Maintainers of PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability affecting versions 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 private keys (ecdsa-sha2- nistp521).
The defect has been assigned the identifier CVE CVE-2024-31497with the discovery attributed to researchers Fabian Bäumer and Marcus Brinkmann from Ruhr University Bochum.
“The effect of the vulnerability is to compromise the private key,” the PuTTY project said in an advisory.
“An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key and then spoof the signatures as if they came from you, allowing him (for example) to access any server he uses key for. “
However, to obtain the signatures, an attacker will have to compromise the server on which the key is used for authentication.
In a message posted to the Open Source Software Security (oss-sec) mailing list, Bäumer described the flaw as resulting from the generation of distorted ECDSA cryptographic nonces, which could allow recovery of the private key.
“The first 9 bits of each ECDSA nonce are zero,” Bäumer explained. “This enables complete recovery of the secret key across approximately 60 signatures using state-of-the-art techniques.”
“These signatures can be collected from a malicious server (man-in-the-middle attacks are not possible as clients do not transmit their signature in the clear) or from any other source, for example signed git commits via forwarded agents. “
In addition to impacting PuTTY, it also affects other products that incorporate a vulnerable version of the software:
- FileZilla (3.24.1 – 3.66.5)
- WinSCP (5.9.5 – 6.3.2)
- TortoiseGit (2.4.0.2 – 2.15.0)
- TurtleSVN (1.10.0 – 1.14.6)
Following responsible disclosure, the issue has been resolved in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. TortoiseSVN users are recommended to use Plink from the latest PuTTY version 0.81 when accessing an SVN repository via SSH until a patch becomes available.
Specifically, the problem was solved by switching to the RFC 6979 technique for all DSA and ECDSA key types, abandoning the previous method of nonce derivation using a deterministic approach which, while avoiding the need for a high-quality randomness source, was susceptible to distorted nonces when using P-521.
Beyond that, NIST-P521 ECDSA keys used with any of the vulnerable components should be considered compromised and accordingly revoked by removing them from Authorized_keys files and their equivalents in other SSH servers.