Stairwell threat report: Vulnerable PuTTY SSH libraries (CVE-2024-31497) — Stairwell

Keypoints

• Researchers identified CVE-2024-31497 in PuTTY SSH libraries versions 0.68–0.80, enabling potential private-key reconstruction by observing signatures.
• The vulnerability could affect software beyond PuTTY itself, with PuTTY 0.81+ fixing the issue but third-party software needing updates.
• Stairwell expands the potentially vulnerable software list beyond the NIST advisory (which includes WinSCP, TortoiseGit, and FileZilla) using their YARA rule.
• Stairwell provides known vulnerable hashes and a YARA rule to help detect vulnerable binaries across environments.
• The YARA rule relies on the string “ECDSA deterministic k generator” found in pre-0.81 versions, indicating vulnerable code in third-party software using PuTTY libraries.
• The patch moves to an RFC6979-based ECDSA implementation, as noted in a referenced commit.
• Although not remotely exploitable, the vulnerability poses high risk due to potential private-key compromise in enterprise key-based authentication and supply-chain contexts.