The widely-used PuTTY client and its related components have identified a severe security vulnerability, affecting versions 0.68 to 0.80. The flaw tracked as CVE-2024-31497, allows for the full recovery of secret keys when using the NIST P-521 elliptic curve digital signature algorithm (ECDSA) due to heavily biased nonce generation.
Security researchers have found that the first 9 bits of each ECDSA nonce generated by the affected PuTTY versions are consistently zero. This bias enables attackers to recover the full secret key after observing approximately 60 valid ECDSA signatures generated under the same key.
While man-in-the-middle attacks are impossible since clients do not transmit their signatures in clear text, a malicious server can still harvest these signatures.
The vulnerability extends beyond the PuTTY client itself, as several popular products bundle affected PuTTY versions. These include FileZilla (versions 3.24.1 to 3.66.5), WinSCP (versions 5.9.5 to 6.3.2), TortoiseGit (versions 2.4.0.2 to 2.15.0), and TortoiseSVN (versions 1.10.0 to 1.14.6). Users of these products are advised to update to the latest patched versions as soon as possible.
According to PuTTY maintainers, 521-bit ECDSA is the only affected key type. “Other sizes of ECDSA, and other key algorithms, are unaffected. In particular, Ed25519 is not affected,” they said.
The impact of this vulnerability is significant, as all NIST P-521 client keys used with PuTTY must now be considered compromised. Even if the root cause is fixed in the source code, an attacker can still carry out the attack if they have access to roughly 60 pre-patch signatures.
This means that any keys used to sign arbitrary data, such as git commits through forwarded agents, can also be compromised if the signatures are publicly available on platforms like GitHub.
To mitigate the risk, users should upgrade to PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. TortoiseSVN users are advised to configure the application to use Plink from the latest PuTTY 0.81 release when accessing SVN repositories via SSH until a patch becomes available.
“Remove the old public key from all OpenSSH authorized_keys files, and the equivalent in other SSH servers, so that a signature from the compromised key has no value any more. Then generate a new key pair to replace it,” PuTTY maintainers advised.
Additionally, all ECDSA NIST-P521 keys used with any vulnerable product or component should be removed immediately from authorized_keys, GitHub, and other relevant locations.