Attacker Value
Low
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2024-31497

Disclosure Date: April 15, 2024
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user’s NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim’s private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim’s private key) can derive the victim’s private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.

Add Assessment

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Low
Technical Analysis

CVE-2024-31497 is a cryptographic flaw (specifically CWE-338, or “Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)”) in PuTTY 0.68 through 0.80. The vulnerability allows attackers to recover and compromise private PuTTY keys — it was fixed in version 0.81, which was released April 15, 2024. Per Openwall (one of the many advisories on this issue):

“The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.”

Rating this vuln relatively low for value and exploitability since it only affects 521-bit ECDSA keys, which are less common. Other key sizes and algorithms aren’t affected. The Openwall advisory notes that while the nonce generation for other curves is also slightly biased, that bias is not enough to perform lattice-based key recovery attacks. Reddit has a good series of comments on the issue, all of which are happily very down-to-earth :)

As of November 2024 there’s no known exploitation in the wild, which makes sense given the caveats to exploitation and narrow scope of the bug. A number of downstream advisories have been released for products that implement PuTTY, e.g., this Citrix XenCenter bulletin. Orgs that use 521-bit ECDSA keys should revoke and regenerate, and folks who use PuTTY in their own product implementations should update to the latest version.

CVSS V3 Severity and Metrics
Base Score:
5.9 Medium
Impact Score:
3.6
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • fedoraproject,
  • filezilla-project,
  • putty,
  • tigris,
  • tortoisegit,
  • winscp

Products

  • fedora 38,
  • fedora 39,
  • fedora 40,
  • filezilla client,
  • putty,
  • tortoisegit,
  • tortoisesvn,
  • winscp

References

Exploit
PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

Additional Info

Technical Analysis