A vulnerability in PuTTY allowed the user's private key to be recreated


If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems

The news recently broke that it was vulnerability detected in PuTTY (already listed under CVE-2024-31497) a popular tool that provides implementations of the SSH, Telnet and Rlogin protocols for Windows and Unix systems.

CVE-2024-31497 vulnerability detected It is considered critical, as allows you to recreate the private key of the user using the ECDSA algorithm of NIST P-521 elliptic curve (ecdsa-sha2-nistp521) from approximately 60 digital signatures generated in PuTTY.

It is worth mentioning that the vulnerability discovered It is not exclusive to the PuTTY client since it also affects other products which include vulnerable versions of PuTTY, such as FileZilla, WinSCP, TortoiseGit, and TortoiseSVN. This vulnerability is due to a bias in the generation of ECDSA nonces, where the first 9 bits of each ECDSA nonce are zero, making it easier to recover approximately 60 valid ECDSA signatures using advanced techniques.

It is mentioned that The cause of this vulnerability lies in the use of a 512-bit random sequence to generate a 521-bit (nonce) initialization vector by the PuTTY developers. They mistakenly believed that 512 bits of entropy would be enough and that the remaining 9 bits were not critical. However, this resulted in the first 9 bits of the initialization vector always being zero, allowing private keys to be recreated.

The required set of signed messages can be publicly readable because they are stored in a public Git service that supports the use of SSH for commit signing, and Pageant performed the signings through an agent forwarding mechanism. In other words, a malicious user may already have enough signature information to compromise a victim's private key, even if no more vulnerable versions of PuTTY are used.

The Importance of Pseudorandom Number Generator Quality and complete parameter coverage in the random data modulus calculations is crucial for the ECDSA and DSA algorithms. Determining even a few bits with information about the initialization vector can lead to a successful attack to sequentially recover the entire private key. This type of attack is based on solving the Hidden Number Problem (HNP).

To succeed in recover a private key, an attacker only needs a public key and several digital signatures generated using the problematic initialization vector. These signatures can be obtained if the user connects to a malicious SSH server or Git server which uses SSH as transport. They can also be obtained if the key is used to verify arbitrary data, such as git commits with the Pageant SSH agent redirecting traffic to the developer's host.

After a key compromise, an adversary can conduct attacks on the supply chain of software maintained in Git. A second independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though the victim does not fully trust this server and the victim uses the same key private for SSH connections to other services operated by other entities.

It is important to note that the MITM attack to obtain the data necessary to recover the key is not feasible, since signatures in SSH are not transmitted in clear text. In the case of PuTTY, a similar use of incomplete initialization vectors was observed for other types of elliptic curves, but ECDSA algorithms of other sizes and Ed25519 keys are not susceptible to this type of attack.

Finally, it is mentioned that The solution for this vulnerability is found in PuTTY updates and the other affected products and therefore users who have used vulnerable versions are recommended to generate new private keys and delete old public keys from their authorized_keys files after applying the update.

If you are interested in knowing more about it, you can check the details in the following link.

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.