Silly PuTTY: SSH client hit with key-stealing bug
The PuTTY terminal has been found to contain a vulnerability allowing for the exposure of security keys
The PuTTY SSH terminal client has been found to contain a vulnerability that allows for the theft of secret keys.
This according to researchers with Ruhr University Bochum who discovered and reported the bug that has since been assigned CVE-2024-31497.
According to the university team that reported the flaw, PuTTY suffers from a vulnerability in its handling of Nonces.
We will now pause while all of our UK readers have a good laugh at that last sentence.
Back to the point at hand, the vulnerability results in a threat actor potentially being able to use the bug to lift secret encryption keys and potentially elevate privileges for a complete system takeover.
"To be more precise, the first 9 bits of each ECDSA nonce are zero," the researchers explain.
"This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques."
In practice, this would allow for a threat actor to guess keys by way of a man in the middle attack. In the wild, this would usually be done by way of redirecting the target's network traffic to a malicious server and then brute-forcing the security key via multiple guessing attempts.
"The nonce generation for other curves is slightly biased as well," the researchers explained.
"However, the bias is negligible and far from enough to perform lattice-based key recovery attacks (not considering cryptanalytical advancements)."
In short, poor cryptography practices are leaving PuTTY SSH keys vulnerable to decoding, and user data is at risk as a result. Fortunately, the flaw has been patched and apps using PuTTY can be protected from exploit.
Administrators and users are advised to update their PuTTY, FileZilla,
WinSCP, and TortoiseGit installations to the latest versions in order to obtain the bug fix.