CVE CyberSecurity Database News

CVE-2024-31497 - Breaking PuTTY ECDSA-521 SSH Keys in 60 Signatures – How a Nonce Leak Opens the Supply Chain

Poster -

A very serious cryptographic flaw—CVE-2024-31497—was recently found in PuTTY, a popular SSH client for Windows and UNIX. If you used PuTTY versions .68 through .80 (before .81) with NIST P-521 ECDSA keys, your *private key could be stolen* by anyone who can collect about 60 ECDSA signatures signed by your key. This puts not just your SSH access at risk, but also enables supply-chain attacks against projects you maintain via Git or other services.

This post explains how the bug works, who’s at risk, exploitation scenarios, how to test if you’re affected, and how to protect yourself. Code snippets and direct references are given for deeper understanding.

The Vulnerability: Flawed ECDSA Nonce

For digital signatures like ECDSA, it's critical that the random value (the “nonce,” called *k*) generated for each signature is unique and unpredictable.

Due to improper random number generation in PuTTY (and tools built on it), the *k* value was actually biased. This makes it possible to recover the *private key*—if you have about 60 signatures, even ones made in the past.

The buggy code in PuTTY (randomsig.c)

/* (Buggy) Biased nonces generation for NIST P-521 */
for (i = ; i < nbytes; i++)
    k[i] = random_byte();
k[nbytes - 1] &= mask;

Here, the most significant byte of k is masked, introducing a statistical bias that breaks ECDSA’s security.

Good Reference

- Official PuTTY Vulnerability Report
- NCC Group Blog: PuTTY CVE-2024-31497

TortoiseSVN through 1.14.6

If you have signed messages or authenticated to SSH servers using these versions and keys, your private key might be compromised.

1. Public Exposure via Signed Git Commits

Suppose you (or your CI) signed Git commits over SSH with a vulnerable Pageant. Many Git hosting services (GitHub, GitLab, etc) store these signatures publicly.
> An attacker can download ~60 signatures and recover your private key using readily available scripts—*even if you’ve since switched to a fixed PuTTY version or new key*.

This allows attackers to impersonate you in any system where that SSH key is trusted. For software projects, this could mean supply-chain compromise (attacker pushes malicious code as you).

2. Evil SSH Server Operator

Suppose you connect (with agent forwarding enabled) to an SSH server not fully under your control (maybe a random VPS, a contractor, or a compromised server).
That server can request multiple signatures from your agent and collect enough to recover your private key.

If you use that key with other hosts, *the rogue server now has access to them all*.

An attacker needs only to

- Collect ~60 ECDSA-P521 signatures made by the same key (for example, by scraping signed git commits or being an SSH server and asking the agent for signatures repeatedly).

Run an open-source script for nonce bias attacks on ECDSA:

Such as ecdsa-recover or fail-nonce-reuse.

Suppose you have a set of signature files sig1, sig2, ..., sig60

python3 fail_nonce_reuse.py NISTP521 sig1 sig2 ... sig60
# The tool outputs the recovered private key

Here's an example snippet (for illustration; real tools are more sophisticated)

from ecdsa import SigningKey, NIST521p
# (Assuming signatures and messages already collected)

# attacker_code.py
sigs = [(r, s, h) for ...]  # This needs actual signature and hash values

# Run lattice or statistical attack...
# See github.com/thepwny/fail-nonce-reuse for the math!

For a real exploit

- See fail-nonce-reuse, with step-by-step.

Did you use ECDSA-P521 keys?

Check via PuTTYgen, or look for entries in ~/.ssh/authorized_keys starting with ecdsa-sha2-nistp521.

What Should You Do?

a) IMMEDIATELY UPGRADE:

TortoiseSVN 1.14.7+

b) REPLACE and REVOKE OLD KEYS

Rotate any tokens or credentials that may have relied on compromised keys.

c) AUDIT YOUR PROJECTS

Read More

- NCC Group Advisory
- PuTTY Security Page
- BleepingComputer: New PuTTY Flaw Lets Attackers Recover Private SSH Keys

Summary

CVE-2024-31497 demonstrates how a subtle cryptography bug in a widely used tool can unravel trust throughout the wider open-source supply chain. If you used NIST P-521 keys with PuTTY .68–.80 or affected apps, rotate your keys NOW—even past use may be enough to put you at risk.

Protect your supply chains: Never underestimate the humble “random” number.

Timeline

Published on: 04/15/2024 20:15:11 UTC
Last modified on: 05/10/2024 14:33:55 UTC