PuTTY SSH Client Vulnerability Allows Recovery of Cryptographic Private Keys

April 16, 2024

A significant vulnerability has been discovered in the PuTTY SSH client, a popular open-source terminal emulator, serial console, and network file transfer application. The flaw, identified as CVE-2024-31497, could potentially allow threat actors with access to 60 cryptographic signatures to recover the private key used for their generation. The software is predominantly used by system administrators and developers to remotely manage servers and other networked devices over SSH from a Windows-based client.

The vulnerability was uncovered by Fabian Bäumer and Marcus Brinkmann from the Ruhr University Bochum. The flaw stems from the way PuTTY generates ECDSA nonces (temporary unique cryptographic numbers) for the NIST P-521 curve used for SSH authentication. Specifically, there is a bias due to PuTTY's use of a deterministic method to generate these numbers to compensate for the lack of a robust cryptographic random number generator on certain Windows versions.

According to PuTTY's security advisory, "PuTTY's technique worked by making a SHA-512 hash and then reducing it mod q, where q is the order of the group used in the DSA system. For integer DSA (for which PuTTY's technique was originally developed), q is about 160 bits; for elliptic-curve DSA (which came later), it has about the same number of bits as the curve modulus, so 256 or 384 or 521 bits for the NIST curves." The advisory further explained that the bias introduced by reducing a 512-bit number mod q is negligible in all cases except P521.

The most significant consequence of recovering the private key is that it enables unauthorized access to SSH servers or the ability to sign commits as the developer. Attackers would require 58 signatures to calculate a target's private key, which they could gather either from logins to a compromised SSH server they control or from signed Git commits.

The developers have released a fix for the vulnerability in PuTTY version 0.81, which abandons the former k-generation method and adopts the RFC 6979 technique for all DSA and ECDSA keys. However, it is advised that any P521 private keys generated using the vulnerable version of the tool should be deemed unsafe and replaced with new, secure keys. Software that utilizes the vulnerable PuTTY is confirmed as impacted, and users are advised to check their tools and take necessary preventive actions.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.