PuTTY vulnerability vuln-p521-bias:
summary: NIST P521 private keys are exposed by biased signature generation
class: vulnerability: This is a security vulnerability.
priority: high: This should be fixed in the next release.
absent-in: 0.67
present-in: 0.68 0.69 0.70 0.71 0.72 0.73 0.74 0.75 0.76 0.77 0.78 0.79 0.80
fixed-in: c193fe9848f50a88a4089aac647fecc31ae96d27 (0.81)Every version of the PuTTY tools from 0.68 to 0.80 inclusive has a critical vulnerability in the code that generates signatures from ECDSA private keys which use the NIST P521 curve. (PuTTY, or Pageant, generates a signature from a key when using it to authenticate you to an SSH server.)
This vulnerability has been assigned CVE-2024-31497. It was discovered by Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum; see their write-up on the oss-security mailing list.
The bad news: the effect of the vulnerability is to compromise the private key. An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for. To obtain these signatures, an attacker need only briefly compromise any server you use the key to authenticate to, or momentarily gain access to a copy of Pageant holding the key. (However, these signatures are not exposed to passive eavesdroppers of SSH connections.)
Therefore, if you have a key of this type, we recommend you revoke it immediately: remove the old public key from all OpenSSH authorized_keys files, and the equivalent in other SSH servers, so that a signature from the compromised key has no value any more. Then generate a new key pair to replace it.
(The problem is not with how the key was originally generated; it doesn't matter whether it came from PuTTYgen or somewhere else. What matters is whether it was ever used with PuTTY or Pageant.)
The good news: the only affected key type is 521-bit ECDSA. That is, a key that appears in Windows PuTTYgen with ecdsa-sha2-nistp521 at the start of the 'Key fingerprint' box, or is described as 'NIST p521' when loaded into Windows Pageant, or has an id starting ecdsa-sha2-nistp521 in the SSH protocol or the key file. Other sizes of ECDSA, and other key algorithms, are unaffected. In particular, Ed25519 is not affected.
(Score: 2, Informative) by Anonymous Coward on Wednesday April 17, @04:06AM
FileZilla used puTTY, so beware.
(Score: 5, Informative) by deimios on Wednesday April 17, @06:18AM
PuttyGen 0.79 right now has 5 methods: RSA, DSA, ECDSA, EdDSA, SSH-1 (RSA) with RSA being the default with the default bits being set to 2048.
So unless you specifically selected ECDSA, you are fine.
And if you are in the know, then you probably actively avoid using ECDSA because of the whole NSA incident.
(Score: 3, Funny) by DannyB on Wednesday April 17, @07:04PM (1 child)
I don't worry about problems like this because I use telnet just as God intended.
Every performance optimization is a grate wait lifted from my shoulders.
(Score: 2) by kazzie on Thursday April 18, @09:48AM
Do you even need telnet, when you can just follow the instructions in your sig?