PuTTY SSH Client flaw allows recovery of ECDSA private keys
Take action: This one is a bit more complicated to address than just patching. If you are using PuTTY, FileZilla, WinSCP or TortoiseGit consider yourself at risk since the flaw covers over 7 years of PuTTY versions. First upgrade the programs to the latest version, which is easy. Then you need to review the private keys used in those tools and regenerate them if they have been generated in PuTTY using ECDSA P-521 curve. This may be difficult to decide, so it's better to start planning for key rotation of all private keys generated in these programs. You don't need to panic, but you do need to do the work, because eventually someone will find your key signatures.
Learn More
A security vulnerability is reported in the signature generation mechanism of the popular tool PuTTY that leaks SSH private keys,
The flaw is tracked as CVE-2024-31497 (CVSS score 5.9) and impacts versions 0.68 through 0.80. The vulnerability is flaw concerns the implementation of the P-521 curve in the Elliptic Curve Digital Signature Algorithm (ECDSA).
ECDSA is a cryptographic technique used to verify digital signatures, where signatures made with a private key can be verified using the corresponding public key. It operates on different curves, such as P-256, P-384, and P-521, with the numbers indicating the size of the prime field in bits.
The specific vulnerability in PuTTY arises from its nonce generation method, a critical component in the security of ECDSA signatures. A nonce, in cryptographic terms, is a number that is intended to be used only once in a single cryptographic communication.
Normally, each signature should have a unique, unpredictable nonce. However, due to limitations at the time of its initial implementation (circa 2001), PuTTY’s developers used an alternative method using SHA-512 hashing of the private key and message. This deterministic method, while secure under certain conditions, proved problematic when adapted for P-521 because it only generated 512 bits, leaving a consistent shortfall of 9 bits, which introduces a nonce bias.
This bias is exploitable. If an attacker has access to the public key and around 60 different signatures they can recover the private key. Attackers could exploit this vulnerability by obtaining signatures from either compromised SSH servers or signed Git commits. Signatures from Git commits could be more accessible since they might be available publicly, making them a practical vector for attackers.
If the attackers can compromise the private key, it's the same as getting a user's username and password and enables unauthorized access to SSH servers or impersonate developers by signing commits as them.
The developers released PuTTY version 0.81, which abandons the flawed k-generation method in favor of the RFC 6979 technique for all DSA and ECDSA keys. Users of affected versions update to this latest release immediatel AND change any P521 private keys generated using the vulnerable versions of Putty
Affected software that incorporates vulnerable PuTTY versions includes:
- FileZilla versions 3.24.1 through 3.66.5 (fixed in 3.67.0)
- WinSCP versions 5.9.5 through 6.3.2 (fixed in 6.3.3)
- TortoiseGit versions 2.4.0.2 through 2.15.0 (fixed in 2.15.0.1)
- TortoiseSVN versions 1.10.0 through 1.14.6 (users should configure to use Plink from PuTTY 0.81 for mitigations)
