by @Smartkeyss
26 Apr 2024

Understanding a critical vulnerability in PuTTY biased ECDSA nonce generation revealing NIST P-521 private keys (CVE-2024-31497)

by @Smartkeyss
26 Apr 2024

Understanding a critical vulnerability in PuTTY biased ECDSA nonce generation revealing NIST P-521 private keys (CVE-2024-31497)

CVEs

5.9 Medium Severity

PoC video

Summary

PuTTY versions 0.68 through 0.80 (prior to 0.81) have a flaw in biased ECDSA nonce generation, allowing attackers to quickly recover a user's NIST P-521 secret key in about 60 signatures. If attackers can read signed messages by PuTTY or Pageant, they may compromise a victim's private key, enabling supply-chain attacks on Git-hosted software. Similarly, if an adversary operates an SSH server where the victim uses the same private key for other services, the adversary can derive the key and gain unauthorized access. This vulnerability also affects FileZilla, WinSCP, TortoiseGit, and TortoiseSVN.

Description

users/photos/clsevlral8gef1hon15grbvup.jpg

@Smartkeyss

59 posts

I am just curious 😊 I use simple words to explain complicated things.

Total vcoins

98.4K

Comments (0)