Critical Vulnerability in PuTTY Exposes NIST P-521 Private Keys

Researchers have identified a significant security flaw in the PuTTY client, designated CVE-2024-31497, that compromises the secrecy of NIST P-521 private keys due to predictably biased ECDSA nonces. This vulnerability potentially affects numerous users globally due to PuTTY's widespread use as an SSH and telnet client, primarily for Windows systems.

PuTTY is a popular open-source software that facilitates remote access to computers over networks by using protocols like SSH (Secure Shell) and telnet. It is extensively utilized for secure remote operations, which makes the integrity of its security features crucial for protecting user data and authentication credentials.

The newly discovered flaw was reported by Fabian Bäumer and Marcus Brinkmann from the Chair for Network and Data Security at Ruhr University Bochum. They identified that in versions 0.68 to 0.80 of PuTTY, the ECDSA nonces generated when using the NIST P-521 curve exhibit a significant bias—specifically, the first 9 bits of each nonce are consistently zero.

This flaw facilitates a key recovery attack wherein an attacker can recover the private key after observing approximately 60 ECDSA signatures.

The bias in nonce generation is particularly alarming because it allows attackers to reconstruct a user's private key. Once the private key is compromised, malicious actors could forge signatures, masquerading as the legitimate key holder. This could lead to unauthorized access to sensitive systems and data, which is particularly troubling for services like SSH, where authentication is paramount.

Scope of impact

Apart from PuTTY, the vulnerability extends to other software that incorporates affected versions of PuTTY for SSH key management, including:

• FileZilla versions 3.24.1 to 3.66.5
• WinSCP versions 5.9.5 to 6.3.2
• TortoiseGit versions 2.4.0.2 to 2.15.0
• TortoiseSVN versions 1.10.0 to 1.14.6

The issue has been addressed in PuTTY version 0.81. Users of affected software are urged to update to the latest versions where the vulnerability has been patched. Specifically:

• FileZilla has been secured in version 3.67.0.
• WinSCP in version 6.3.3.
• TortoiseGit in version 2.15.0.1.

Users of TortoiseSVN should switch to using Plink from the latest PuTTY release for SVN repository access via SSH until further updates are made available.

For users with ECDSA NIST-P521 keys that have been used with any vulnerable versions of these products, it is recommended to consider the keys as compromised. These keys should be revoked and replaced immediately. This involves removing the compromised keys from all server authorized_keys files and any other authentication systems that may have utilized these keys.

Users of PuTTY and related tools should verify their software versions and update immediately to prevent potential exploits.