A serious vulnerability has been discovered in PuTTY, a widely used SSH client. The vulnerability allows attackers to steal users’ private keys in some cases. The vulnerability affects PuTTY versions 0.68 through 0.80. The problem has now been resolved.
Due to the vulnerability, which tracked under CVE-2024-31497, attackers can obtain users’ NIST P-521 keys. This is possible through the code with which the PuTTY client generates ‘signatures’ via the Ecdsa. That code contains a bias so that generated signatures can be used to determine the underlying private key. Attackers are able to do this if they have about sixty such signatures in their hands. To do this, they need access to the victim’s signatures, for example by temporarily taking over an SSH server that the victim uses.
With the stolen keys, attackers can then create false signatures and gain access to servers on which the relevant key has been used. The advice to users is to immediately delete the affected private keys revoke and generate new keys. Attackers may have already obtained sufficient signatures before the patch was released. Only 521bit Ecdsa keys are vulnerable. Moreover, such keys are only vulnerable if they are used via the PuTTY client or the PuTTY Authentication Agent.
The new version of PuTTY, version 0.81, resolves the vulnerability. Services such as FileZilla, WinSCP, TortoiseGit and TortoiseSVN are also vulnerable. The most recent versions of that software also fixed the problem.