Menu
What's new
By:
Filters Better Search

CVE-2024-31497: PuTTY vulnerability vuln-p521-bias

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

XIII

XIII

Very Senior Member
Every version of the PuTTY tools from 0.68 to 0.80 inclusive has a critical vulnerability in the code that generates signatures from ECDSA private keys which use the NIST P521 curve. (PuTTY, or Pageant, generates a signature from a key when using it to authenticate you to an SSH server.)
Click to expand...

Therefore, if you have a key of this type, we recommend you revoke it immediately: remove the old public key from all OpenSSH authorized_keys files, and the equivalent in other SSH servers, so that a signature from the compromised key has no value any more. Then generate a new key pair to replace it.
Click to expand...

The good news: the only affected key type is 521-bit ECDSA. That is, a key that appears in Windows PuTTYgen with ecdsa-sha2-nistp521 at the start of the 'Key fingerprint' box, or is described as 'NIST p521' when loaded into Windows Pageant, or has an id starting ecdsa-sha2-nistp521 in the SSH protocol or the key file. Other sizes of ECDSA, and other key algorithms, are unaffected. In particular, Ed25519 is not affected.
Click to expand...

PuTTY vulnerability vuln-p521-bias

www.chiark.greenend.org.uk www.chiark.greenend.org.uk
 
It's not just putty, but code that includes putty... the one that many use here is WinSCP, so make sure you update it as well when updating your putty instance...

=======

- PuTTY 0.68 - 0.80

The following (not necessarily complete) list of products bundle an
affected PuTTY version and are therefore vulnerable as well:

- FileZilla 3.24.1 - 3.66.5
- WinSCP 5.9.5 - 6.3.2
- TortoiseGit 2.4.0.2 - 2.15.0
- TortoiseSVN 1.10.0 - 1.14.6
 
Source: https://securityaffairs.com/161921/security/putty-ssh-client-flaw.html
The flaw has been fixed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. TortoiseSVN users are recommended to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release when accessing a SVN repository via SSH until a patch becomes available.
Click to expand...
Any product or component using ECDSA NIST-P521 keys impacted by the flaw CVE-2024-31497 should be deemed compromised. These keys should be revoked by removing them from authorized_keys, GitHub repositories, and any other relevant platforms.
Click to expand...
 
You must log in or register to reply here.

Similar threads

decedion
Impossible access to router via SSH
Replies
13
Views
9K
jmir
J
Similar threads
Thread starter Title Forum Replies Date
D News Universal local privilege escalation linux cve-2024-1086 General Network Security 0
sfx2000 CVE-2024-3094 - XZ Utils Backdoor - addtional info General Network Security 12

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 675 (members: 20, guests: 655)
Top