Analysis Summary

Users are being notified by the developers of the PuTTY Secure Shell (SSH) and Telnet client about a serious flaw that affects versions 0.68 through 0.80 and has the potential to be used to fully recover NIST P-521 (ecdsa-sha2-nistp521) private keys.

The vulnerability is being tracked as CVE-2024-31497. With just a few dozen signed communications and the public key, an attacker can obtain enough information to obtain the private key and then fabricate signatures appearing to be from the user, giving them the ability to access any servers that the user uses that key on as an example. However, an attacker will need to gain access to the server that the key is used to authenticate to obtain the signatures.

The researcher who found the flaw explained it as arising from the production of biased ECDSA cryptographic nonces, which could allow the recovery of the private key, in a statement posted on the Open Source Software Security (oss-sec) mailing list. Each ECDSA nonce's initial nine bits are all zero. This enables the entire recovery of the secret key using cutting-edge methods in about 60 signatures.

Since clients do not send their signatures in the clear, these signatures can be obtained from any source, including signed Git commits through forwarding agents, or they can be harvested by a malicious server. Man-in-the-middle attacks are not possible with these signatures. It affects not just PuTTY but also other products that use this vulnerable software version, such as FileZilla (3.24.1 - 3.66.5), WinSCP (5.9.5 - 6.3.2), TortoiseGit (2.4.0.2 - 2.15.0), and TortoiseSVN (1.10.0 - 1.14.6).

The vulnerability has been fixed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1 after responsible disclosure. Until a patch is released, TortoiseSVN users are advised to utilize Plink from the most recent PuTTY 0.81 release when logging into an SVN repository over SSH.

It was specifically resolved by abandoning its previous method of deriving the nonce using a deterministic approach that, while avoiding the need for a source of high-quality randomness, was prone to biased nonces when using P-521. Instead, all DSA and ECDSA key types now use the RFC 6979 technique. Furthermore, any ECDSA NIST-P521 keys that are used in conjunction with any of the susceptible components should be regarded as compromised and revoked by deleting them from authorized_keys files and their corresponding versions on other SSH servers.