Security researchers have disclosed a critical vulnerability in the widely-used PuTTY SSH and Telnet client, marked as CVE-2024-31497. The flaw, found in PuTTY versions 0.68 through 0.80, allows attackers to recover private keys generated with the NIST P-521 elliptic curve due to a bias in the generation of ECDSA nonces. Specifically, the first 9 bits of each nonce are consistently zero, enabling attackers to fully recover the private key from approximately 60 signatures using lattice cryptanalysis techniques.
To demonstrate the vulnerability, security researcher Hugo Bond has published a Proof-of-Concept (PoC) exploit on GitHub. This exploit takes advantage of the nonce bias to recover private keys from signatures generated by vulnerable PuTTY versions. An attacker could gather the required signatures through various means, such as setting up a malicious SSH server, capturing signatures from PuTTY clients, or extracting signatures from signed Git commits and other sources where PuTTY was used.
The impact of this vulnerability extends beyond PuTTY itself, affecting several popular tools that incorporate vulnerable versions of PuTTY, including FileZilla, WinSCP, TortoiseGit, and TortoiseSVN. PuTTY developers have responded by releasing version 0.81, which addresses this flaw. Patched versions are also available for most affected third-party tools. However, if an attacker obtains around 60 signatures generated with a vulnerable version, they can still exploit this flaw. Therefore, any NIST P-521 keys used with PuTTY or related tools should be considered compromised and revoked immediately.
Given PuTTY’s widespread use, especially on Windows platforms, this vulnerability has significant implications. Users are strongly advised to upgrade to patched versions as soon as possible and replace any potentially exposed keys. The publication of a PoC exploit increases the urgency, as it raises the likelihood of threat actors exploiting this vulnerability in the wild.
Reference: