Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 15 Apr 2024 21:15:22 +0200
From: Fabian Bäumer <fabian.baeumer@....de>
To: oss-security@...ts.openwall.com
Cc: Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de>
Subject: CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys
 Through Biased ECDSA Nonces in PuTTY Client

### Summary

The PuTTY client and all related components generate heavily biased 
ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 
bits of each ECDSA nonce are zero. This allows for full secret key 
recovery in roughly 60 signatures by using state-of-the-art techniques. 
These signatures can either be harvested by a malicious server 
(man-in-the-middle attacks are not possible given that clients do not 
transmit their signature in the clear) or from any other source, e.g. 
signed git commits through forwarded agents. The nonce generation for 
other curves is slightly biased as well. However, the bias is negligible 
and far from enough to perform lattice-based key recovery attacks (not 
considering cryptanalytical advancements).

### Affected Products

- PuTTY 0.68 - 0.80

The following (not necessarily complete) list of products bundle an 
affected PuTTY version and are therefore vulnerable as well:

- FileZilla 3.24.1 - 3.66.5
- WinSCP 5.9.5 - 6.3.2
- TortoiseGit 2.4.0.2 - 2.15.0
- TortoiseSVN 1.10.0 - 1.14.6

### Impact

The nonce bias allows for full secret key recovery of NIST P-521 keys 
after a malicious actor has seen roughly 60 valid ECDSA signatures 
generated by any PuTTY component under the same key. Luckily, client 
signatures are transmitted within the secure channel of SSH, requiring a 
malicious server to acquire such signatures. If the key has been used to 
sign arbitrary data (e.g., git commits by forwarding Pageant to a 
development host), the publicly available signatures (e.g., on GitHub) 
can be used as well.

All NIST P-521 client keys used with PuTTY must be considered 
compromised, given that the attack can be carried out even after the 
root cause has been fixed in the source code (assuming that ~60 
pre-patch signatures are available to an adversary).

### Mitigations

This vulnerability has been fixed in PuTTY 0.81, FileZilla 3.67.0, 
WinSCP 6.3.3, and TortoiseGit 2.15.0.1. Users of TortoiseSVN are advised 
to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release 
when accessing a SVN repository via SSH until a patch becomes available.

ECDSA NIST-P521 keys used with any vulnerable product / component should 
be considered compromised and consequently revoked by removing them from 
authorized_keys, GitHub, ...

### CVE

This vulnerability has been assigned CVE-2024-31497.

-- 
M. Sc. Fabian Bäumer

Chair for Network and Data Security
Ruhr University Bochum
Universitätsstr. 150, Building MC 4/145
44780 Bochum
Germany


Download attachment "smime.p7s" of type "application/pkcs7-signature" (5977 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.