Skip to main content

PuTTY vulnerability vuln-p521-bias CVE-2024-31497

Link State
Forum|alt.badge.img+11

CVE - CVE-2024-31497 (mitre.org)

PuTTY vulnerability vuln-p521-bias (greenend.org.uk)

 

summary: NIST P521 private keys are exposed by biased signature generation
classvulnerability: This is a security vulnerability.
priorityhigh: This should be fixed in the next release.
absent-in: 0.67
present-in: 0.68 0.69 0.70 0.71 0.72 0.73 0.74 0.75 0.76 0.77 0.78 0.79 0.80
fixed-inc193fe9848f50a88a4089aac647fecc31ae96d27 (0.81)

 

Hi Guysm

PuTTY Releases Security Update to Address Critical Vulnerability

PuTTY developers have warned of a critical vulnerability affecting versions 0.68 to 0.80. The flaw could allow an attacker to fully recover NIST-P521 private keys.

The vulnerability, CVE-2024-31497, stems from errors in ECDSA cryptographic number generation, enabling private key recovery. The discovery of the flaw is attributed to researchers Fabian BΓ€umer and Markus Brinkmann of Ruhr University Bochum.

The first 9 bits of each ECDSA nonce are zero, allowing for the complete recovery of the private key from approximately 60 signatures using state-of-the-art techniques.

A malicious actor possessing several dozen signed messages and a public key would have sufficient data to recover the private key and forge signatures, potentially leading to unauthorized access to servers and services that utilize this key.

The issue also affected other products integrated with vulnerable PuTTY versions:

  • FileZilla (3.24.1 – 3.66.5)
  • WinSCP (5.9.5 – 6.3.2)
  • TortoiseGit (2.4.0.2 – 2.15.0)
  • TortoiseSVN (1.10.0 – 1.14.6)

Following responsible disclosure, the issue has been addressed in new releases of PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1.

Product developers have adopted the RFC 6979 technique to generate all DSA and ECDSA key types, abandoning the previous method. TortoiseSVN users are advised to utilize Plink from the latest PuTTY 0.81 release when accessing SVN repositories via SSH until an update is released.

NIST-P521 ECDSA keys used in any of the affected components should be considered compromised and immediately revoked by removing them from "~/.ssh/authorized_keys" and similar files on other SSH servers.

Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104| AZ500 - AWS Cloud Practitioner - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)

9 comments

coolsport00
Forum|alt.badge.img+20
  • coolsport00
  • Veeam Legend
  • 4139 comments
  • April 19, 2024

Thanks for sharing @Link State . I'll need to download new versions of PuTTy & WinSCP it appears πŸ€·πŸΌβ€β™‚οΈ

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
Link State
1 person likes this
  • Link State
    Link State
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8492 comments
  • April 19, 2024

Looks like putty and winscp updates today due to this security alert.  Thanks for sharing.  πŸ‘

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Link State
1 person likes this
  • Link State
    Link State
Stabz
Forum|alt.badge.img+8
  • Stabz
  • On the path to Greatness
  • 354 comments
  • April 19, 2024

Thanks @Link State 

Veeam will have to create an update cause Putty is integrated in the toolbox
 

 

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/
Chris.Childerhose
Link State
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Link State
    Link State
Mildur
Forum|alt.badge.img+12
  • Mildur
  • Influencer
  • 1035 comments
  • April 19, 2024

Hi all

Our upcoming Patch 12.1.2 will include Putty 0.81.

 

Best,

Fabian

Product Management Analyst @ Veeam Software
Chris.Childerhose
Link State
Stabz
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Link State
    Link State
  • Stabz
    Stabz
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8492 comments
  • April 19, 2024
Mildur wrote:

Hi all

Our upcoming Patch 12.1.2 will include Putty 0.81.

 

Best,

Fabian

Ooh when is that?  LOL πŸ˜‹

Yes I know when it is ready.  πŸ˜‚

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Link State
1 person likes this
  • Link State
    Link State
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8492 comments
  • April 19, 2024

If you are worried about security with Putty then you can download the latest EXE file and place it here for Veeam to use the 0.81 release - Program Files\Veeam\Backup and Replication\Console\PUTTY

I just renamed the EXE located here (backup) and copied over the new one 0.81 which now works when launching from the VBR console.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Link State
Iams3le
2 people like this
  • Link State
    Link State
  • Iams3le
    Iams3le
Link State
Forum|alt.badge.img+11
  • Link State
  • Author
  • Veeam Legend
  • 608 comments
  • April 19, 2024
Chris.Childerhose wrote:

If you are worried about security with Putty then you can download the latest EXE file and place it here for Veeam to use the 0.81 release - Program Files\Veeam\Backup and Replication\Console\PUTTY

I just renamed the EXE located here (backup) and copied over the new one 0.81 which now works when launching from the VBR console.

Nice workaround m8! πŸ˜Ž

Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104| AZ500 - AWS Cloud Practitioner - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
Chris.Childerhose
Iams3le
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Iams3le
    Iams3le
Link State
Forum|alt.badge.img+11
  • Link State
  • Author
  • Veeam Legend
  • 608 comments
  • April 19, 2024
Mildur wrote:

Hi all

Our upcoming Patch 12.1.2 will include Putty 0.81.

 

Best,

Fabian

need MOAR info πŸ‘€

Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104| AZ500 - AWS Cloud Practitioner - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
dips
Forum|alt.badge.img+7
  • dips
  • Veeam Legend
  • 808 comments
  • April 19, 2024

Thanks for sharing @Link State 

In terms of the vulnerability, unless the Putty installation that is included with Veeam is being used for SSH connections it should be fine to wait for the update from Veeam. 

Additionally, the attacker would need to have compromised the server. 

More serious is that the P521 private keys generated using the vulnerable version of Putty should be considered vulnerable and replaced.

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Link State
Iams3le
2 people like this
  • Link State
    Link State
  • Iams3le
    Iams3le

Comment


Terms & Conditions