Critical Vulnerability in PuTTY Enables Private Key Recovery

The developers of PuTTY have released an update addressing a cryptographic vulnerability, CVE-2024-31497, which affects versions 0.68 through 0.80. This flaw can be exploited to fully recover private NIST P-521 keys (ecdsa-sha2-nistp521).

The vulnerability was discovered by researchers at Ruhr University Bochum and is related to how PuTTY generates ECDSA nonces (temporary unique cryptographic numbers) for the NIST P-521 elliptic curve used in SSH authentication. The issue arises because PuTTY uses a deterministic method to generate these numbers, compensating for the lack of a reliable cryptographic random number generator in certain Windows versions.

According to the researchers, a digital signature is created using the user’s private key and verified with the corresponding public key on the server, ensuring identification and secure communications. Attackers would need to analyze about 58 signatures to compute the victim’s private key. They can obtain these signatures either by collecting them from an SSH server they control or have compromised, or by extracting them from signed Git commits.

Experts warn that collecting signatures from public commits may be much more effective and dangerous. Typically, Pageant, PuTTY’s SSH agent, is used locally to sign commits, which are then sent to the developer’s host. Git is configured to use OpenSSH to sign Git commits with the SSH key provided by Pageant. This means the signature is generated by Pageant, making it suitable for private key recovery. Git signatures may be publicly available, for example, if a commit is present in a public repository on GitHub.

“All NIST P-521 client keys used with PuTTY should be considered compromised, given that the attack can be carried out even after the main issue is fixed in the source code (provided the attacker had access to about 60 signatures before the fix),” the researchers warned. “An attacker with several dozen signatures and the public key has enough information to recover the private key and then forge signatures as if they came from you. This would allow them, for example, to access any servers where you use this key. To obtain signatures, an attacker only needs to briefly compromise any server you authenticate to with the key, or temporarily access a copy of Pageant storing the key.”

The developers fixed the vulnerability in PuTTY 0.81 by switching to RFC 6979 for all DSA and ECDSA keys. It is emphasized that all P-521 private keys generated with a vulnerable version of PuTTY should be considered unsafe and replaced as soon as possible.

The following products are known to use vulnerable versions of PuTTY:

• FileZilla 3.24.1–3.66.5 (fixed in 3.67.0);
• WinSCP 5.9.5–6.3.2 (fixed in 6.3.3);
• TortoiseGit 2.4.0.2–2.15.0 (fixed in 2.15.0.1);
• TortoiseSVN 1.10.0–1.14.6 (can be fixed by configuring TortoiseSVN to use Plink from the latest PuTTY 0.81).

There may be even more software vulnerable to CVE-2024-31497, depending on which version of PuTTY is used. Users are advised to check their tools and take preventive measures if necessary.