{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2024-039.pdf" }, "title": "Critical Putty Client Vulnerability", "serial_number": "2024-039", "publish_date": "14-05-2024 13:12:59", "description": "A critical vulnerability, identified as CVE-2024-31497, affects the PuTTY SSH client. This vulnerability stems from a bias in ECDSA nonce generation when using the NIST P-521 elliptic curve. Attackers can exploit this bias to recover private keys after observing a relatively small number of ECDSA signatures.
\n", "url_title": "2024-039", "content_markdown": "---\ntitle: 'Critical Putty Client Vulnerability'\nnumber: '2024-039'\nversion: '1.0'\noriginal_date: 'April 16, 2024'\ndate: 'April 16, 2024'\n---\n\n_History:_\n\n* _16/04/2024 --- v1.0 -- Initial publication_\n\n\n# Summary\n\nA critical vulnerability, identified as **CVE-2024-31497**, affects the PuTTY SSH client [1]. This vulnerability stems from a bias in ECDSA nonce generation when using the NIST P-521 elliptic curve. Attackers can exploit this bias to recover private keys after observing a relatively small number of ECDSA signatures.\n\n# Technical Details\n\nPuTTY, when utilising the NIST P-521 elliptic curve, generates ECDSA nonces with the first 9 bits set to zero. This significant bias makes it feasible for attackers to employ state-of-the-art lattice-based techniques to recover the complete private key from these biased nonces after collecting around 60 valid ECDSA signatures.\n\n# Affected Products\n\n- PuTTY versions before 0.81\n- FileZilla versions from 3.24.1 to 3.66.5\n- WinSCP versions from 5.9.5 to 6.3.2\n- TortoiseGit versions from 2.4.0.2 to 2.15.0\n- TortoiseSVN versions from 1.10.0 to 1.14.6\n\n# Recommendations\n\nUsers are urged to update their software to a fixed version immediately to mitigate the vulnerability. It is also recommended reviewing and replacing any NIST P-521 (`521-bit ECDSA`, `ecdsa-sha2-nistp521`) keys that may have been used with affected versions of PuTTY, as these keys should be considered compromised.\n\n# References\n\n[1] \n", "content_html": "

History:

Summary

A critical vulnerability, identified as CVE-2024-31497, affects the PuTTY SSH client [1]. This vulnerability stems from a bias in ECDSA nonce generation when using the NIST P-521 elliptic curve. Attackers can exploit this bias to recover private keys after observing a relatively small number of ECDSA signatures.

Technical Details

PuTTY, when utilising the NIST P-521 elliptic curve, generates ECDSA nonces with the first 9 bits set to zero. This significant bias makes it feasible for attackers to employ state-of-the-art lattice-based techniques to recover the complete private key from these biased nonces after collecting around 60 valid ECDSA signatures.

Affected Products

Recommendations

Users are urged to update their software to a fixed version immediately to mitigate the vulnerability. It is also recommended reviewing and replacing any NIST P-521 (521-bit ECDSA, ecdsa-sha2-nistp521) keys that may have been used with affected versions of PuTTY, as these keys should be considered compromised.

References

[1] https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }