Widely Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack

Apr 16, 2024NewsroomEncryption / Network Security

PuTTY SSH Client

The maintainers of PuTTY Secure Shell (SSH) and Telnet client alerts users to a critical vulnerability affecting versions from 0.68 to 0.80 that can be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys.

The flaw is assigned a CVE identifier CVE-2024-31497with the discovery credited to researchers Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum.

“The impact of the vulnerability is the compromise of the private key,” the PuTTY project SAYS in an advisory.

“An attacker with a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures that appear to be from you, which is allowed they (eg) log into any servers you use that. key for.”


However, in order to obtain the signatures, an attacker must compromise the server where the key is used to authenticate.

In a message posted on the Open Source Software Security (oss-sec) mailing list, Bäumer describes the error that comes from the generation of biased ECDSA cryptographic nonceswhich is able to recover the private key.

“The first 9 pieces of each ECDSA does not exist zeros,” Bäumer MEAN. “It allows for full secret key recovery of almost 60 signatures by using state-of-the-art techniques.”

“These signatures can be harvested by a malicious server (man-in-the-middle attacks are not possible because clients do not send their signature in the clear) or from any other source, for example the signed git commit through forwarded agents.”

Apart from affecting PuTTY, it also affects other products that have a vulnerable version of the software –

  • FileZilla (3.24.1 – 3.66.5)
  • WinSCP (5.9.5 – 6.3.2)
  • TortoiseGit ( – 2.15.0)
  • TurtleSVN (1.10.0 – 1.14.6)

After responsible disclosure, the issue has been addressed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit TortoiseSVN users are recommended to use Plink from the latest PuTTY 0.81 release when accessing an SVN repository via SSH until a patch becomes available.

Specifically, it is solved by moving to RFC 6979 technique for all DSA and ECDSA key types, abandoned its previous method of deriving the nonce using a deterministic method which, while avoiding the need for a source of high quality randomness, is vulnerable to biased nonces when using P-521.

Furthermore, ECDSA NIST-P521 keys used by any vulnerable components should be considered compromised and thus recovered by removing them from the authorized_keys files and their corresponds to other SSH servers.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment