Putty Vulnerability Allows User Key Restoration

In Putty, a client of the SSH protocol popular on the Windows platform, recently disclosed a dangerous vulnerability (CVE-2024-31497) that enables the recreation of a user’s closed key generated using the ECDSA algorithm with elliptical curve nist p-521 (ecdsa-sha2-nistp521). By analyzing about 60 digital signatures formed by a problematic key, an attacker can select a closed key.

The vulnerability affects Putty version 0.68 and other products using vulnerable versions of Putty like Filezilla (3.24.1 – 3.66.5), WinSCP (5.9.5 – 6.3.2), Tortoisegit (2.4.0.2 – 2.15.0), and TortoiseSVN (1.10.0 – 1.14.6). The issue has been resolved in updates such as Putty 0.81, Filezilla 3.67.0, Winscp 6.3.3, and Tortoisegit 2.15.0.1. Users are advised to generate new keys and delete old open keys from the Authorized_keys files after installing the updates.

The vulnerability stems from developers using a 512-bit random sequence as the initialization vector (nonce) for generating a 521-bit key, assuming that the 512-bit entropy would suffice and the remaining 9 bits were insignificant. This led to the first 9 bits of the initialization vector in all Putty-created closed keys using the ECDSA-SHA2-NISTP521 algorithm to consistently be zero.

The quality of the pseudo-random number generator and proper random data coverage of the parameter used in calculating the module are crucial for ECDSA and DSA algorithms. Even having a few bits of information about the initialization vector can facilitate an attack to sequentially reconstruct the entire closed

/Reports, release notes, official announcements.