CVE-2024-31497

In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.
References
Link Resource
http://www.openwall.com/lists/oss-security/2024/04/15/6 Mailing List Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2275183 Issue Tracking
https://bugzilla.suse.com/show_bug.cgi?id=1222864 Issue Tracking
https://docs.ccv.brown.edu/oscar/connecting-to-oscar/ssh/ssh-agent-forwarding/key-generation-and-agent-forwarding-with-putty Product
https://filezilla-project.org/versions.php Release Notes
https://git.tartarus.org/?h=c193fe9848f50a88a4089aac647fecc31ae96d27&p=simon/putty.git Mailing List Patch
https://github.com/advisories/GHSA-6p4c-r453-8743 Third Party Advisory
https://github.com/daedalus/BreakingECDSAwithLLL Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00014.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZS3B37GNGWOOV7QU7B7JFK76U4TOP4V/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMHILY2K7HQGQRHOC375KRRG2M6625RD/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PUOTQVGC4DISVHQGSPUYGXO6TLDK65LA/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WFDZBV7ZCAZ6AH3VCQ34SSY7L3J7VZXZ/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMJH7M663BVO3SY6MFAW2FAZWLLXAPRQ/ Mailing List Third Party Advisory
https://news.ycombinator.com/item?id=40044665 Issue Tracking
https://security-tracker.debian.org/tracker/CVE-2024-31497 Third Party Advisory
https://securityonline.info/cve-2024-31497-critical-putty-vulnerability-exposes-private-keys-immediate-action-required/ Press/Media Coverage
https://tartarus.org/~simon/putty-snapshots/htmldoc/Chapter9.html#pageant-forward Product
https://tortoisegit.org Third Party Advisory
https://twitter.com/CCBalert/status/1780229237569470549 Press/Media Coverage
https://twitter.com/lambdafu/status/1779969509522133272 Press/Media Coverage
https://winscp.net/eng/news.php Third Party Advisory
https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/ Press/Media Coverage
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html Release Notes Vendor Advisory
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html Vendor Advisory
https://www.openwall.com/lists/oss-security/2024/04/15/6 Mailing List Third Party Advisory
https://www.reddit.com/r/sysadmin/comments/1c4wmoj/putty_vulnerability_affecting_v068_to_v08/ Press/Media Coverage
Configurations

Configuration 1 (hide)

cpe:2.3:a:putty:putty:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:filezilla-project:filezilla_client:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:tortoisegit:tortoisegit:*:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:a:tigris:tortoisesvn:*:*:*:*:*:*:*:*

Configuration 6 (hide)

OR cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

History

20 Jun 2024, 19:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/06/msg00014.html -

10 May 2024, 14:33

Type Values Removed Values Added
CPE cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
cpe:2.3:a:tortoisegit:tortoisegit:*:*:*:*:*:*:*:*
cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:*
cpe:2.3:a:tigris:tortoisesvn:*:*:*:*:*:*:*:*
cpe:2.3:a:putty:putty:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:a:filezilla-project:filezilla_client:*:*:*:*:*:*:*:*
CWE CWE-338
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.9
First Time Winscp winscp
Putty putty
Tortoisegit
Tigris tortoisesvn
Winscp
Fedoraproject fedora
Tortoisegit tortoisegit
Putty
Tigris
Fedoraproject
Filezilla-project filezilla Client
Filezilla-project
References () http://www.openwall.com/lists/oss-security/2024/04/15/6 - () http://www.openwall.com/lists/oss-security/2024/04/15/6 - Mailing List, Third Party Advisory
References () https://bugzilla.redhat.com/show_bug.cgi?id=2275183 - () https://bugzilla.redhat.com/show_bug.cgi?id=2275183 - Issue Tracking
References () https://bugzilla.suse.com/show_bug.cgi?id=1222864 - () https://bugzilla.suse.com/show_bug.cgi?id=1222864 - Issue Tracking
References () https://docs.ccv.brown.edu/oscar/connecting-to-oscar/ssh/ssh-agent-forwarding/key-generation-and-agent-forwarding-with-putty - () https://docs.ccv.brown.edu/oscar/connecting-to-oscar/ssh/ssh-agent-forwarding/key-generation-and-agent-forwarding-with-putty - Product
References () https://filezilla-project.org/versions.php - () https://filezilla-project.org/versions.php - Release Notes
References () https://git.tartarus.org/?h=c193fe9848f50a88a4089aac647fecc31ae96d27&p=simon/putty.git - () https://git.tartarus.org/?h=c193fe9848f50a88a4089aac647fecc31ae96d27&p=simon/putty.git - Mailing List, Patch
References () https://github.com/advisories/GHSA-6p4c-r453-8743 - () https://github.com/advisories/GHSA-6p4c-r453-8743 - Third Party Advisory
References () https://github.com/daedalus/BreakingECDSAwithLLL - () https://github.com/daedalus/BreakingECDSAwithLLL - Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZS3B37GNGWOOV7QU7B7JFK76U4TOP4V/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZS3B37GNGWOOV7QU7B7JFK76U4TOP4V/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMHILY2K7HQGQRHOC375KRRG2M6625RD/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMHILY2K7HQGQRHOC375KRRG2M6625RD/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PUOTQVGC4DISVHQGSPUYGXO6TLDK65LA/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PUOTQVGC4DISVHQGSPUYGXO6TLDK65LA/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WFDZBV7ZCAZ6AH3VCQ34SSY7L3J7VZXZ/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WFDZBV7ZCAZ6AH3VCQ34SSY7L3J7VZXZ/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMJH7M663BVO3SY6MFAW2FAZWLLXAPRQ/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMJH7M663BVO3SY6MFAW2FAZWLLXAPRQ/ - Mailing List, Third Party Advisory
References () https://news.ycombinator.com/item?id=40044665 - () https://news.ycombinator.com/item?id=40044665 - Issue Tracking
References () https://security-tracker.debian.org/tracker/CVE-2024-31497 - () https://security-tracker.debian.org/tracker/CVE-2024-31497 - Third Party Advisory
References () https://securityonline.info/cve-2024-31497-critical-putty-vulnerability-exposes-private-keys-immediate-action-required/ - () https://securityonline.info/cve-2024-31497-critical-putty-vulnerability-exposes-private-keys-immediate-action-required/ - Press/Media Coverage
References () https://tartarus.org/~simon/putty-snapshots/htmldoc/Chapter9.html#pageant-forward - () https://tartarus.org/~simon/putty-snapshots/htmldoc/Chapter9.html#pageant-forward - Product
References () https://tortoisegit.org - () https://tortoisegit.org - Third Party Advisory
References () https://twitter.com/CCBalert/status/1780229237569470549 - () https://twitter.com/CCBalert/status/1780229237569470549 - Press/Media Coverage
References () https://twitter.com/lambdafu/status/1779969509522133272 - () https://twitter.com/lambdafu/status/1779969509522133272 - Press/Media Coverage
References () https://winscp.net/eng/news.php - () https://winscp.net/eng/news.php - Third Party Advisory
References () https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/ - () https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/ - Press/Media Coverage
References () https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html - () https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html - Release Notes, Vendor Advisory
References () https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html - () https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html - Vendor Advisory
References () https://www.openwall.com/lists/oss-security/2024/04/15/6 - () https://www.openwall.com/lists/oss-security/2024/04/15/6 - Mailing List, Third Party Advisory
References () https://www.reddit.com/r/sysadmin/comments/1c4wmoj/putty_vulnerability_affecting_v068_to_v08/ - () https://www.reddit.com/r/sysadmin/comments/1c4wmoj/putty_vulnerability_affecting_v068_to_v08/ - Press/Media Coverage

01 May 2024, 18:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/04/15/6 -

26 Apr 2024, 02:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PUOTQVGC4DISVHQGSPUYGXO6TLDK65LA/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WFDZBV7ZCAZ6AH3VCQ34SSY7L3J7VZXZ/ -

25 Apr 2024, 06:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZS3B37GNGWOOV7QU7B7JFK76U4TOP4V/ -

23 Apr 2024, 18:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMHILY2K7HQGQRHOC375KRRG2M6625RD/ -

18 Apr 2024, 02:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMJH7M663BVO3SY6MFAW2FAZWLLXAPRQ/ -

16 Apr 2024, 23:15

Type Values Removed Values Added
References
  • () https://github.com/daedalus/BreakingECDSAwithLLL -
  • () https://securityonline.info/cve-2024-31497-critical-putty-vulnerability-exposes-private-keys-immediate-action-required/ -
  • () https://twitter.com/CCBalert/status/1780229237569470549 -
  • () https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/ -

16 Apr 2024, 13:24

Type Values Removed Values Added
Summary
  • (es) En PuTTY 0.68 a 0.80 antes de 0.81, la generación nonce ECDSA sesgada permite a un atacante recuperar la clave secreta NIST P-521 de un usuario mediante un ataque rápido en aproximadamente 60 firmas. Esto es especialmente importante en un escenario en el que un adversario puede leer mensajes firmados por PuTTY o Pageant. El conjunto requerido de mensajes firmados puede ser legible públicamente porque están almacenados en un servicio público Git que admite el uso de SSH para la firma de confirmación, y Pageant realizó las firmas a través de un mecanismo de reenvío de agentes. En otras palabras, es posible que un adversario ya tenga suficiente información de firma para comprometer la clave privada de una víctima, incluso si no se utilizan más versiones vulnerables de PuTTY. Después de un compromiso clave, un adversario puede realizar ataques a la cadena de suministro del software mantenido en Git. Un segundo escenario independiente es que el adversario sea un operador de un servidor SSH en el que la víctima se autentica (para inicio de sesión remoto o copia de archivos), aunque la víctima no confíe plenamente en este servidor y la víctima utilice la misma clave privada. para conexiones SSH a otros servicios operados por otras entidades. Aquí, el operador del servidor fraudulento (que de otro modo no tendría forma de determinar la clave privada de la víctima) puede obtener la clave privada de la víctima y luego usarla para acceder no autorizado a esos otros servicios. Si los otros servicios incluyen servicios Git, nuevamente es posible realizar ataques a la cadena de suministro del software mantenido en Git. Esto también afecta, por ejemplo, a FileZilla anterior a 3.67.0, WinSCP anterior a 6.3.3, TortoiseGit anterior a 2.15.0.1 y TortoiseSVN hasta 1.14.6.

15 Apr 2024, 23:15

Type Values Removed Values Added
References
  • () https://www.reddit.com/r/sysadmin/comments/1c4wmoj/putty_vulnerability_affecting_v068_to_v08/ -

15 Apr 2024, 22:15

Type Values Removed Values Added
References
  • () https://bugzilla.redhat.com/show_bug.cgi?id=2275183 -
  • () https://bugzilla.suse.com/show_bug.cgi?id=1222864 -
  • () https://docs.ccv.brown.edu/oscar/connecting-to-oscar/ssh/ssh-agent-forwarding/key-generation-and-agent-forwarding-with-putty -
  • () https://filezilla-project.org/versions.php -
  • () https://git.tartarus.org/?h=c193fe9848f50a88a4089aac647fecc31ae96d27&p=simon/putty.git -
  • () https://github.com/advisories/GHSA-6p4c-r453-8743 -
  • () https://news.ycombinator.com/item?id=40044665 -
  • () https://security-tracker.debian.org/tracker/CVE-2024-31497 -
  • () https://tartarus.org/~simon/putty-snapshots/htmldoc/Chapter9.html#pageant-forward -
  • () https://tortoisegit.org -
  • () https://twitter.com/lambdafu/status/1779969509522133272 -
  • () https://winscp.net/eng/news.php -
Summary (en) In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. One scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. Because SSH is sometimes used to authenticate to Git services, it is possible that this vulnerability could be leveraged for supply-chain attacks on software maintained in Git. It is also conceivable that signed messages from PuTTY or Pageant are readable by adversaries more easily in other scenarios, but none have yet been disclosed. (en) In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.

15 Apr 2024, 21:15

Type Values Removed Values Added
References
  • () https://www.openwall.com/lists/oss-security/2024/04/15/6 -

15 Apr 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-04-15 20:15

Updated : 2024-06-20 19:15


NVD link : CVE-2024-31497

Mitre link : CVE-2024-31497

CVE.ORG link : CVE-2024-31497


JSON object : View

Products Affected

winscp

  • winscp

tortoisegit

  • tortoisegit

tigris

  • tortoisesvn

filezilla-project

  • filezilla_client

putty

  • putty

fedoraproject

  • fedora
CWE
CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)