PuTTY Client Vulnerability Lets Attackers Recover Private Keys

A severe vulnerability has been discovered in the PuTTY client and related components, allowing attackers to fully recover NIST P-521 private keys.

The PuTTY client generates heavily biased ECDSA nonces when using the NIST P-521 elliptic curve, causing the vulnerability tracked as CVE-2024-31497.

PuTTY Client Vulnerability

The PuTTY client and all related components, including FileZilla, WinSCP, TortoiseGit, and TortoiseSVN, generate ECDSA nonces with the first 9 bits set to zero when using the NIST P-521 elliptic curve.

This significant bias in the nonce generation allows attackers to recover the full private key after observing roughly 60 valid ECDSA signatures from the same key.

The attack works by leveraging state-of-the-art lattice-based techniques to recover the private key from the biased nonces.

Document

Stop Advanced Phishing Attack With AI

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by
other email security solutions. .

An attacker can either harvest the signatures from a malicious server (since the signatures are transmitted over the secure SSH channel) or from any other source, such as signed git commits.

“All NIST P-521 client keys used with PuTTY must be considered compromised, given that the attack can be carried out even after the root cause has been fixed in the source code (assuming that ~60 pre-patch signatures are available to an adversary),” the advisory states.

Impact and Affected Products

The nonce bias vulnerability allows for full secret key recovery of NIST P-521 keys after an attacker has observed approximately 60 valid ECDSA signatures generated by any PuTTY component under the same key.

This means that the attacker can forge any data signed with these compromised keys, such as git commits.

The following PuTTY-related products are affected by this vulnerability: