Prevent Private Key Recovery Attacks in PuTTY SSH Client
Understanding the Vulnerability
Critical vulnerability (CVE-2024-31497) in the widely-used PuTTY SSH client allows attackers to recover NIST P-521 (ecdsa-sha2-nistp521) private keys. This flaw arises when using the specific elliptic curve (NIST P-521) for ECDSA (Elliptic Curve Digital Signature Algorithm) key generation.
Cause of the Issue
The vulnerability stems from the biased ECDSA cryptographic nonces generated by the PuTTY client, enabling attackers to recover the private key. Specifically, the first 9 bits of each nonce are zero, making the recovery possible through advanced techniques after obtaining approximately 60 valid ECDSA signatures.
Attacker’s Goal
Exploiting this vulnerability, an attacker can forge digital signatures and gain unauthorized access to servers or resources protected by the compromised keys. This can lead to sensitive data theft, system compromise, or impersonation attacks.
How to Protect Yourself
To prevent private key recovery attacks in PuTTY SSH client, follow these steps:
- Update to PuTTY 0.81 or Later: This version addresses the vulnerability by switching to the recommended RFC 6979 technique for nonce generation.
- Revoke Compromised Keys: NIST P-521 keys used with vulnerable PuTTY versions should be considered compromised and revoked. Remove them from authorized_keys files and equivalent server entries.
- Use Strong Passwords and Two-Factor Authentication: Enhance the security of your SSH accounts by using strong passwords and enabling two-factor authentication.
- Be Vigilant for Malicious Activity: Monitor your systems and SSH logs for suspicious behavior that could indicate an attack.
- Disable Key Forwarding: Avoid forwarding your private keys to third-party agents, which can increase the risk of compromise.
Affected Products
Besides PuTTY, other products that incorporate the vulnerable version of the software are also affected:
- FileZilla
- WinSCP
- TortoiseGit
- TortoiseSVN
These products have released updated versions (e.g., FileZilla 3.67.0, WinSCP 6.3.3) that address the vulnerability.
Additional Resources
PuTTY Security Advisory
Researchers’ Paper on the Vulnerability
Twitter Announcement by Researcher Fabian Bäumer
We found a critical vulnerability in #PuTTY SSH client with NIST P-521 keys, that allows private key recovery from only 60 signatures, CVE-2024-31497! If you use #Putty or #Filezilla with ECDSA P-521, upgrade now and generate a new key! Joint work with @TrueSkrillor, details ⬇️
— Marcus Brinkmann (@lambdafu) April 15, 2024
also read:How to detect if a Linux system is vulnerable to the backdoor in xz Utils?