AuthorTAFA Archives
April 2024
Categories
All
|
Back to Blog
The PuTTY project has released a security update to address a critical vulnerability (tracked as CVE-2024-31497) in PuTTY 0.68 through 0.80. This vulnerability could potentially allow attackers to access 60 cryptographic signatures that can be utilised to recover the private key used for their generation. This consequence of this critical vulnerability is that it will allow unauthorised access to SSH servers or sign commits as the developer. This can potentially lead to supply chain attacks on impacted software projects. This vulnerability is caused by how PuTTY generates temporary unique cryptographic numbers for the NIST P-521 curve used for SSH authentication. PuTTY is a popular open-source terminal emulator, serial console, and network file transfer application that supports SSH, Telnet, SCP, and SFTP. The developers have fixed the vulnerability in PuTTY version 0.81. However, it is noted that any P521 private keys generated using the vulnerable version of the tool should be considered unsafe and be replaced by new, secure keys. Listed below are confirmed software that uses the vulnerable PuTTY:
It should be noted that it is likely that there are more software tools impacted by this vulnerability, depending on the PuTTY version incorporated. It is highly advised that users check their tools and take the preventive action needed. More information is available here: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-042 https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/ Comments are closed.
|