A security vulnerability with CVE-2024-31497 has been discovered in the popular SSH client software PuTTY. The vulnerability is currently awaiting analysis, so its CVSS Base Score is unknown yet.
Description:
In several PuTTY versions there exists a flaw related to biased ECDSA nonce generation. Specifically, biased ECDSA nonce generation allows attackers to potentially retrieve a user’s NIST P-521 secret key with minimal effort, requiring only about 60 signatures.
The impact of this vulnerability is especially significant in scenarios where an adversary can read messages signed by PuTTY or Pageant.
This vulnerability if exploited leads to the required set of signed messages being publicly readable since they are stored in a public Git service that supports use of SSH for commit signing. Consequently, attackers could possess sufficient signature data to compromise a victim’s private key, regardless of whether vulnerable PuTTY versions are still in use.
Potential Impact:
If an adversary operates an SSH server to which a victim authenticates, they can derive the victim’s private key. This could lead to unauthorized access to other services where the victim uses the same private key. Additionally, since SSH is sometimes used for authentication to Git services, this vulnerability could potentially be leveraged for supply-chain attacks on software maintained in Git repositories.
Affected Versions:
According to NIST, CVE-2024-31497 impacts all PuTTY versions from 0.68 to 0.80 (before 0.81).
Besides PuTTY, other software like FileZilla (before version 3.67.0), WinSCP (before version 6.3.3), TortoiseGit (before version 2.15.0.1), and TortoiseSVN (up to version 1.14.6) are also impacted by this vulnerability.
Recommendations:
To address this critical vulnerability, the following steps can be followed:
- Upgrade PuTTY to version 0.81 or later. This version includes a fix for the biased ECDSA nonce generation vulnerability. Kindly ensure that all instances of PuTTY on your systems are updated promptly.
- Review SSH Key Usage:
- Audit your SSH key usage.
- Identify any keys that were used with vulnerable versions of PuTTY.
- Generate new keys for affected users and replace the old ones. This will prevent potential exploitation of compromised keys.
- Monitor for Anomalies:
- Monitor SSH authentication logs for any unusual activity related to key-based authentication.
- Detect any unauthorized access attempts or signs of key compromise.
- Evaluate other options based on your specific requirements.
- Educate Users about the importance of updating their SSH clients.
- You could consider using alternative SSH clients like OpenSSH or Bitvise SSH Client.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-31497
- https://thehackernews.com/2024/04/widely-used-putty-ssh-client-found.html?m=1
- https://github.com/advisories/GHSA-6p4c-r453-8743
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31497