Summary

PuTTY versions 0.68 through 0.80 (prior to 0.81) have a flaw in biased ECDSA nonce generation, allowing attackers to quickly recover a user's NIST P-521 secret key in about 60 signatures. If attackers can read signed messages by PuTTY or Pageant, they may compromise a victim's private key, enabling supply-chain attacks on Git-hosted software. Similarly, if an adversary operates an SSH server where the victim uses the same private key for other services, the adversary can derive the key and gain unauthorized access. This vulnerability also affects FileZilla, WinSCP, TortoiseGit, and TortoiseSVN.

Description