PUTTY SSH client flaw allows recovery of encrypted private keys

1.3k Views

Hu Jinyu

loopholes

Just released

684

collect

Introduction: More software tools may be affected by CVE-2024-31497, depending on the version of PuTTY they use.

CVE-2024-31497 vulnerability in PuTTY 0.68 to 0.80 allows an attacker with access to 60 cryptographic signatures to recover the private keys used for their generation.

PuTTY is a popular open source terminal emulator, serial console, and network file transfer application that supports SSH (Secure Shell), Telnet, SCP (Secure Copy Protocol), and SFTP (SSH File Transfer Protocol).

This software is primarily used by system administrators and developers to remotely access and manage servers and other network devices via SSH from Windows-based clients.

The vulnerability, tracked as CVE-2024-31497, is caused by PuTTY generating ECDSA nonces (temporarily unique cryptographic numbers) for the NIST P-521 curve used for SSH authentication.

Specifically, the bias exists because PuTYY uses a deterministic way to generate these numbers to compensate for the lack of a strong cryptographic random number generator on a specific version of Windows.

PuTTY technology works by generating a SHA-512 hash and then reducing it mod q, where q is the order of the groups used in DSA systems. For integer DSA (for which PuTTY technology was originally developed), q is about 160 bits; for elliptic curve DSA (which came later), it is about the same number of bits as the curve modulus, so the NIST curve is 256 or 384 or 521 bits .

In all cases except P521, the bias introduced by reducing the 512-bit number mod q is negligible. But in the case of P521, where q has 521 bits (that is, more than 512 bits), the deviation caused by reducing the 512-bit number mod q is negligible. q has no effect – the first 9 bits of the resulting k value are always zero.

The main impact of recovering the private key is that it allows unauthorized access to an SSH server or signing commits as a developer, and possibly even a supply chain attack on the affected software project.

Exploiting CVE-2024-31497

A digital signature is created using the user's private key and verified with the corresponding public key on the server to ensure the security of the user's identity and communication. An attacker would need 58 signatures to calculate a target's private key, which they could obtain by logging in from an SSH server they control or compromised or by collecting signatures from signed Git commits.

Collecting signatures from an SSH server means the server itself has been compromised, giving the threat actor broad access to the operating system. However, the method of obtaining signatures from public commits is more practical for attackers.

In some cases, this vulnerability can be exploited without compromising the server beforehand. One such scenario is using SSH keys to sign Git commits. A common setup involves using Pageant (PuTTY's ssh agent) locally and forwarding the agent to the development host.

Here, Git is configured to use OpenSSH to sign Git commits using the SSH key provided by Pageant, which then generates the signature, making it easily recoverable by the private key.

Defect fixed, other software affected

Developers fixed the vulnerability in PuTTY version 0.81, which abandoned the previous k-generation approach and switched to RFC 6979 technology for all DSA and ECDSA keys.

However, it is worth noting that any P521 private keys generated using the vulnerable version of the tool should be considered unsafe and should be replaced with a new secure key.

The following software using vulnerable PuTTY has been confirmed to be affected:

·FileZilla 3.24.1 – 3.66.5 (fixed in 3.67.0)

·WinSCP 5.9.5 – 6.3.2 (fixed in 6.3.3)

·TortoiseGit 2.4.0.2 – 2.15.0 (fixed in 2.15.0.1)

·TortoiseSVN 1.10.0 – 1.14.6 (can be mitigated by configuring TortoiseSVN to use Plink in the latest PuTTY 0.81 version)

Additional software tools may be affected by CVE-2024-31497, depending on the version of PuTTY they are powered by. Therefore, users are advised to check their tools and take precautions as needed.

Article translated from: https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/ If reprinted, please indicate the original address