[German]The free software PuTTY can be used to establish connections via Secure Shell, Telnet, remote login or serial interfaces with a server. However, there is a critical vulnerability in the software in question (CVE-2024-31497) that can be used to reconstruct private SSH keys. PuTTY versions 0.68 to 0.80 as well as other products (FileZilla for example) are affected. However, it is not enough to update the products to a patched version, as the keys may already be reconstructed.
PuTTY is free software for establishing connections via Secure Shell (SSH), Telnet, remote login or serial interfaces. PuTTY serves as a client and establishes the connection to a server. When the connection is established, the user's identity is verified using one of the provided authentication methods. PuTTY is available for Windows and Linux. In the text-oriented terminal session provided, commands can be issued directly and executed on the remote system. Graphical output is not possible, but an X server running on the client computer can be used. In addition, IPv6 is supported from version 0.58 and the serial interface from version 0.59.
PuTTY vulnerability CVE-2024-31497
PuTTY (versions 0.68 to 0.80) contains the critical vulnerability CVE-2024-31497, which allows an attacker to reconstruct the NIST P-521 private key using approximately 60 signatures. The vulnerability was discovered by Fabian Bäumer and Marcus Brinkmann (Ruhr University Bochum).
Das Problem ist, dass der PuTTY-Client und alle zugehörigen Komponenten stark mit einem BIAS versehene ECDSA-Nonces im Fall von NIST P-521 erzeugen. Die Entdecker geben an, dass die ersten 9 Bits jeder ECDSA-Nonce Null sind. Dies ermöglicht einen vollständigen geheimen privaten Schlüssel in rund 60 Signaturen unter Einsatz modernster Techniken zu rekonstruieren. Die dazu benötigten Signaturen können entweder von einem böswilligen Server erfasst werden (Man-in-the-Middle-Angriffe sind nicht möglich) oder aus einer anderen Quelle, z.B. signierte Git-Commits über weitergeleitete Agenten.
In other words, an attacker may already have enough signature information to compromise a victim's private key. This applies even if vulnerable PuTTY versions are no longer used. Following a key compromise, an attacker may be able to conduct supply chain attacks on software managed in Git.
A second, independent scenario, according to NIST, is where the attacker is an operator of an SSH server to which the victim authenticates (for remote login or file copying), even though the victim does not fully trust that server and that Victim used the same private key for SSH connections to other services operated by other companies. Here, the fraudulent server operator (who would otherwise have no way of discovering the victim's private key) can derive the victim's private key and then use it to gain unauthorized access to these other services.
Wenn die anderen Dienste Git-Dienste umfassen, ist es wiederum möglich, Supply-Chain-Angriffe auf in Git verwaltete Software durchzuführen. Dies betrifft beispielsweise auch FileZilla vor 3.67.0, WinSCP vor 6.3.3, TortoiseGit vor 2.15.0.1 und TortoiseSVN bis 1.14.6.
There are fixes that need to be done
This vulnerability has been fixed in PuTTY 0.81 and FileZilla 3.67.0. The same applies to WinSCP 6.3.3 and TortoiseGit 2.15.0.1. TortoiseSVN users are recommended to configure the software to use Plink from the latest PuTTY 0.81 release when accessing an SVN repository over SSH until a patch is available.
ECDSA NIST-P521 keys used with all vulnerable products/components are considered compromised and will therefore be revoked (by removing them). PuTTY has issued this advisory on the issue.
