PuTTY SSH Client Flaw Allows Recovery of Cryptographic Private Keys

The discovery of CVE-2024-31497 in PuTTY versions 0.68 through 0.80 unveils a critical vulnerability that exposes cryptographic private keys to potential recovery by attackers. This flaw stems from PuTTY's method of generating ECDSA nonces, introducing a bias that weakens the security of private key generation, particularly on the NIST P-521 curve.

Attackers can exploit this vulnerability by collecting 60 cryptographic signatures, either from compromised SSH servers or from signed Git commits. Notably, the latter method poses a significant threat, as it doesn't require prior compromise of a server.

Security Officer Comments:
One alarming scenario involves SSH keys used for signing Git commits, where the Pageant SSH agent, commonly integrated with PuTTY, becomes a target for private key recovery. This presents a substantial risk, especially when git signatures are publicly accessible, such as on GitHub repositories. The impact extends beyond PuTTY, affecting several other software tools like FileZilla, WinSCP, TortoiseGit, and TortoiseSVN, which incorporate the vulnerable PuTTY versions. Users of these tools should ensure they update to versions that address the flaw to mitigate the risk of private key exposure.

Suggested Corrections:
The mitigation provided in PuTTY version 0.81 addresses the vulnerability by adopting the RFC 6979 technique for all DSA and ECDSA keys. However, caution is warranted for users who generated P521 private keys with the vulnerable versions, as these keys should be considered compromised and replaced with new, secure ones.