A critical security vulnerability in PuTTY, a very popular software for secure terminal access to remote servers, has been discovered. This vulnerability could put the private keys of many users at risk.
Cataloged as CVE-2024-31497, the vulnerability affects PuTTY version numbers between 0.68 and 0.80. So, if you have been using PuTTY during this time, it is important to be aware of what this means for your data security.
What’s the Problem?
Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum found the vulnerability. It concerns how PuTTY forms signatures from the ECDSA private keys on the NIST P521 curve.
The vulnerability with PuTTY is that it creates a component of the signature called ‘nonce’ during the generation process. This randomly generated number can be used once in a cryptographic communication, thus ensuring that old communications cannot be reused in replay attacks.
However, PuTTY used a deterministic method to generate nonces due to the lack of a high-quality random number generator in early Windows systems. This deterministic method was biased for the P521 curve, which made the private key recovery possible.
Simply put, an attacker who gets hold of multiple signed messages can potentially recover your private key due to a specific bias in the signature creation process. This would allow them to forge signatures and access any servers where you’ve used this key.
Why Is It Serious?
A compromised private key is a major security risk comparable to someone having the key to your home. The attacker could impersonate you, gaining unauthorized access to systems and sensitive information.
Notably, this vulnerability does not require an attacker to intercept your communications; they only need to access signatures generated by your key.
What Should You Do?
If you are using a P521 key with PuTTY:
- Revoke the key immediately. Remove it from all servers’ authorized_keys files where it is been used.
- Generate a new key pair. Use PuTTYgen or another tool to create a new set of keys for future authentication.
The good news is that this issue only affects 521-bit ECDSA keys, specifically those marked with “ecdsa-sha2-nistp521” in PuTTYgen or Pageant. This issue does not affect other cryptographic key types and sizes, such as Ed25519.
The developers have now fixed this issue in version 0.81 of PuTTY by adopting a new, standardized method for generating nonces.
So, if you’re using PuTTY for sensitive operations, it is crucial to update to the latest version immediately and replace any compromised keys to safeguard your digital security.