On April 15th, Fabian Bäumer and Marcus Brinkmann of Ruhr University Bochum disclosed that PuTTY had a vulnerability that can allow an attacker to compromise private keys, then forge signatures, and log into any remote servers on which those keys are used. PuTTY is a free and open-source terminal emulator, serial console and network file transfer application that supports several network protocols, including SCP, SSH, Telnet, rlogin, serial port and raw socket connections.
To fix this vulnerability, PuTTY’s developers switched to the RFC 6979 technique (the use of the message itself and the private key value to a deterministic random key generation process using a pseudo-random function), for all DSA and ECDSA key types. EdDSA keys such as Ed25519 already used a different system, which has not changed. However, this doesn’t affect the fact that information about existing P521 private keys has already been leaked whenever a signature was generated using the old key generator. At a user level, all NIST P-521 client keys used with PuTTY must be considered compromised, given that the attack can be carried out even after the root cause has been fixed in the source code.
This security flaw affects PuTTY version 0.68 through 0.80 and would facilitate remote attackers to recover NIST P-521 private keys by exploiting biased ECDSA nonces generated by the PuTTY client and its components. Specifically, the flaw lies in the generation of heavily biased ECDSA nonces for NIST P-521, where the first 9 bits are consistently zero.
Elliptic Curve Digital Signature Algorithm (ECDSA), for context, is a cryptographic signing algorithm. It fulfills a similar role to RSA for message signing – an ECDSA public and private key pair are generated, and signatures generated with the private key can be validated using the public key. In addition, ordinarily nonce generation uses cryptographically secure pseudorandom number generator (CSPRNG) however, due to PuTTY’s development being pre-CSPRNG API deployment included in the delivery of Windows XP it’s developers used an alternative nonce generation scheme where the SHA512 is used to generate a 512-bit number based on the private key and the message.
The bias identified facilitates the full recovery of the secret key using advanced techniques, requiring only around 60 signatures. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures made through an agent-forwarding mechanism.
Potential Attacks:
– An attacker who performs an active man-in-the-middle attack (e.g. via DNS spoofing) to redirect the user to a malicious SSH server would be able to capture signatures in order to exploit this vulnerability if the user ignores the SSH key fingerprint change warning.
– An attacker who compromised an SSH server could also use it to capture signatures to exploit this vulnerability, then recover the user’s private key in order to compromise other systems.
– An attacker can use PuTTY for git+ssh, which is a way of interacting with a git repository over SSH. PuTTY is commonly used as an SSH client by development tools that support git+ssh. Users can digitally sign git commits with their SSH key, and these signatures are published alongside the commit as a way of authenticating that the commit was made by that user. These commit logs are publicly available on the internet, alongside the user’s public key, so an attacker could search for git repositories with P-521 ECDSA commit signatures. If those signatures were generated by a vulnerable version of PuTTY, the user’s private key could be compromised and used to compromise the server or make fraudulent signed commits under that user’s identity.
Luckily, signatures are not exposed to passive eavesdroppers of SSH connections.
P-521 keys that have ever been used with any of the following software should be treated as compromised:
– PuTTY 0.68 – 0.80
– WinSCP 5.9.5 – 6.3.2
– TortoiseGit 2.4.0.2 – 2.15.0
– TortoiseSVN 1.10.0 – 1.14.6
– Or if a P-521 key has ever been used for git commit signing with development tools on Windows
Centripetal’s CleanINTERNET® can help monitor and shield unexpected SSH connections to potentially malicious hosts.
Resources:
- Vulnerability Details: CVE-2024-31497 – CVEdetails.com
- Openwall.com
- CVE-2024-31497 – National Vulnerability Database
- PuTTY vulnerability vuln-p521-bias – chiark.greenend.org.uk
- CVE-2024-31497 – MITRE
- Flaw in PuTTY P-521 ECDSA signature generation links SSH private keys – LRQA Nettitude Labs
- Crazy Crypto: Meet CVE-2024-31496 – Medium