CVE-2024-31497 - Critical Security Vulnerability in PuTTY: Biased ECDSA Nonce Generation Compromises User's Secret Key

A critical security vulnerability (CVE-2024-31497) has been discovered in PuTTY versions .68 through .80, affecting its implementation of ECDSA (Elliptic Curve Digital Signature Algorithm). The issue lies in the biased nonce generation, which makes it possible for an attacker to recover a user's NIST P-521 secret key after collecting approximately 60 signatures.

This vulnerability is especially concerning in scenarios where an adversary is capable of reading messages signed by PuTTY or Pageant. For instance, an attacker may already have access to the required set of signed messages through a public Git service supporting SSH for commit signing, and the signatures were made by Pageant using an agent-forwarding mechanism.

Original References

- PuTTY Security Advisory
- CVE-2024-31497 Details

Exploit Details

The vulnerability stems from a flaw in the nonce generation process during the creation of ECDSA signatures with NIST P-521 curve. An adversary can exploit this flaw to perform a quick partial attack, recovering the user's secret key with just ~60 signatures.

Code Snippet

Here is a sample code snippet that demonstrates how nonce bias in ECDSA can be exploited to recover a user's secret key:

from ecdsa_attacks import attack_partial_nonce_bias

# Signature information collected by the attacker
signatures = collect_signatures()

# Recover the private key using collected signatures
private_key = attack_partial_nonce_bias(signatures)

# Perform unauthorized actions using recovered private key
conduct_supply_chain_attacks(private_key)

Impact and Mitigations

Given the widespread use of PuTTY and related software, this vulnerability poses a significant risk to user's secret keys, especially when stored in public Git services. In worst-case scenarios, an adversary can use the compromised keys to perform supply-chain attacks on software maintained in Git.

To mitigate the risk posed by CVE-2024-31497, users are strongly advised to update to PuTTY .81, FileZilla 3.67., WinSCP 6.3.3, TortoiseGit 2.15..1, and TortoiseSVN 1.14.7 or later. Users should also review their signed messages stored in public Git services and ensure that no unauthorized access or changes have been made.

Conclusion

The CVE-2024-31497 vulnerability in PuTTY and related software reveals a critical flaw in the implementation of ECDSA, allowing an adversary to compromise a user's secret key by exploiting biased nonce generation. Users are urged to update to the latest versions of the affected software and monitor their public Git services for unauthorized access or changes.

Timeline

Published on: 04/15/2024 20:15:11 UTC
Last modified on: 05/10/2024 14:33:55 UTC