Date: Mon, 15 Apr 2024 21:15:22 +0200 From: Fabian Bäumer To: oss-security@...ts.openwall.com Cc: Marcus Brinkmann Subject: CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client ### Summary The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents. The nonce generation for other curves is slightly biased as well. However, the bias is negligible and far from enough to perform lattice-based key recovery attacks (not considering cryptanalytical advancements). ### Affected Products - PuTTY 0.68 - 0.80 The following (not necessarily complete) list of products bundle an affected PuTTY version and are therefore vulnerable as well: - FileZilla 3.24.1 - 3.66.5 - WinSCP 5.9.5 - 6.3.2 - TortoiseGit 2.4.0.2 - 2.15.0 - TortoiseSVN 1.10.0 - 1.14.6 ### Impact The nonce bias allows for full secret key recovery of NIST P-521 keys after a malicious actor has seen roughly 60 valid ECDSA signatures generated by any PuTTY component under the same key. Luckily, client signatures are transmitted within the secure channel of SSH, requiring a malicious server to acquire such signatures. If the key has been used to sign arbitrary data (e.g., git commits by forwarding Pageant to a development host), the publicly available signatures (e.g., on GitHub) can be used as well. All NIST P-521 client keys used with PuTTY must be considered compromised, given that the attack can be carried out even after the root cause has been fixed in the source code (assuming that ~60 pre-patch signatures are available to an adversary). ### Mitigations This vulnerability has been fixed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. Users of TortoiseSVN are advised to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release when accessing a SVN repository via SSH until a patch becomes available. ECDSA NIST-P521 keys used with any vulnerable product / component should be considered compromised and consequently revoked by removing them from authorized_keys, GitHub, ... ### CVE This vulnerability has been assigned CVE-2024-31497. -- M. Sc. Fabian Bäumer Chair for Network and Data Security Ruhr University Bochum Universitätsstr. 150, Building MC 4/145 44780 Bochum Germany