Proof-of-Concept (PoC) Released for Critical PuTTY Private Key Recovery Vulnerability

Security researchers have published a Proof-of-Concept (PoC) exploit for a critical vulnerability in the widely used PuTTY SSH and Telnet client.

The flaw, CVE-2024-31497, permits attackers to recover private keys generated with the NIST P-521 elliptic curve in PuTTY versions 0.68 through 0.80. This vulnerability arises from PuTTY’s biased generation of ECDSA nonces when using the P-521 curve.

Researchers discovered that the first 9 bits of each nonce are consistently zero, allowing for full private key recovery from approximately 60 signatures using lattice cryptanalysis techniques.

Security researcher Hugo Bond demonstrated the attack’s feasibility by publishing a PoC exploit on GitHub. Leveraging the nonce bias, the PoC recovers the private key from a set of signatures generated by a vulnerable PuTTY version.

POC Revealed for Critical PuTTY Private Key Recovery Vulnerability

Attackers could obtain the necessary signatures through various means, like setting up a malicious SSH server to capture signatures from connecting PuTTY clients, or extracting signatures from signed Git commits or other sources employing PuTTY as an SSH agent.

The vulnerability impacts not just the PuTTY client but also several other widely-used tools integrating vulnerable PuTTY versions, including:

FileZilla 3.24.1 – 3.66.5
WinSCP 5.9.5 – 6.3.2
TortoiseGit 2.4.0.2 – 2.15.0
TortoiseSVN 1.10.0 – 1.14.6

PuTTY developers have released version 0.81 to fix the flaw, and most affected third-party tools also have patched versions available. However, the attack remains viable if an attacker possesses around 60 signatures from a vulnerable version.

Thus, any NIST P-521 keys used with PuTTY or related tools should be deemed compromised and revoked immediately.

Given PuTTY’s popularity as a prominent SSH client, particularly on Windows, this vulnerability carries significant implications. It is imperative for all users to promptly upgrade to patched versions and replace any potentially compromised keys. The availability of a PoC exploit raises concerns about potential exploitation by threat actors in real-world scenarios.