CVE-2024-31497: Secret Key Recovery

 

The vulnerability is due to a biased ecdsa-sha2-nistp521 nonce generation that allows an attacker to recover a user's NIST P-521 secret key after seeing roughly 60 valid ECDSA signatures generated by any PuTTY component under the same key.

 

Two scenarios are particularly concerning: 

 

1. An adversary is able to read messages signed by PuTTY or Pageant. 

These signed messages may be publicly readable because they are stored in a public Git service that supports the use of SSH for commit signing. An adversary may already have enough signature information to compromise a victim's private key to further conduct a supply-chain attack. 

 

2. The adversary is an operator of an SSH server to which the victim authenticates, even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the server operated by the attacker can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git.

 

All NIST P-521 client keys used with PuTTY must be considered compromised, as the attack can be carried out even after the root cause has been fixed in the source code (assuming that ~60 pre-patch signatures are available to an adversary).