Low
CVE-2024-31497
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2024-31497
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user’s NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim’s private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim’s private key) can derive the victim’s private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityLow
Technical Analysis
CVE-2024-31497 is a cryptographic flaw (specifically CWE-338, or “Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)”) in PuTTY 0.68 through 0.80. The vulnerability allows attackers to recover and compromise private PuTTY keys — it was fixed in version 0.81, which was released April 15, 2024. Per Openwall (one of the many advisories on this issue):
“The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.”
Rating this vuln relatively low for value and exploitability since it only affects 521-bit ECDSA keys, which are less common. Other key sizes and algorithms aren’t affected. The Openwall advisory notes that while the nonce generation for other curves is also slightly biased, that bias is not enough to perform lattice-based key recovery attacks. Reddit has a good series of comments on the issue, all of which are happily very down-to-earth :)
As of November 2024 there’s no known exploitation in the wild, which makes sense given the caveats to exploitation and narrow scope of the bug. A number of downstream advisories have been released for products that implement PuTTY, e.g., this Citrix XenCenter bulletin. Orgs that use 521-bit ECDSA keys should revoke and regenerate, and folks who use PuTTY in their own product implementations should update to the latest version.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- fedoraproject,
- filezilla-project,
- putty,
- tigris,
- tortoisegit,
- winscp
Products
- fedora 38,
- fedora 39,
- fedora 40,
- filezilla client,
- putty,
- tortoisegit,
- tortoisesvn,
- winscp
References
Advisory
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: