Reference:
Advisory #2024-54
Version:
1.0
Affected software:
FileZilla 3.24.1 - 3.66.5
PuTTY Client versions 0.68 - 0.80
TortoiseGit 2.4.0.2 - 2.15.0
TortoiseSVN 1.10.0 - 1.14.6
WinSCP 5.9.5 - 6.3.2
Type:
Secret Key Recovery
CVE/CVSS:
CVE-2024-31497 :CVSS 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Sources
Risks
The PuTTY client and all related components are affected by a vulnerability that allows an attacker to harvest secret keys to further conduct supply chain attacks.
Description
CVE-2024-31497: Secret Key Recovery
 
The vulnerability is due to a biased ecdsa-sha2-nistp521 nonce generation that allows an attacker to recover a user's NIST P-521 secret key after seeing roughly 60 valid ECDSA signatures generated by any PuTTY component under the same key.
 
Two scenarios are particularly concerning: 
 
1. An adversary is able to read messages signed by PuTTY or Pageant. 
These signed messages may be publicly readable because they are stored in a public Git service that supports the use of SSH for commit signing. An adversary may already have enough signature information to compromise a victim's private key to further conduct a supply-chain attack. 
 
2. The adversary is an operator of an SSH server to which the victim authenticates, even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the server operated by the attacker can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git.
 
All NIST P-521 client keys used with PuTTY must be considered compromised, as the attack can be carried out even after the root cause has been fixed in the source code (assuming that ~60 pre-patch signatures are available to an adversary).
Recommended Actions
Patch
 
The Centre for Cybersecurity Belgium strongly recommends installing updates for any of the vulnerable software mentioned in the present advisory. 
Additionally, all NIST P-521 keys should be regenerated and the previous ones should be revoked. 
 
Monitor/Detect
 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
 
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References