CVE-2024-31497: PuTTY Forfeits Client ECDSA Private Keys

Public-key cryptography underpins enterprise network security and thus, securing the confidentiality of private keys is one of the most critical IT security challenges for preventing unauthorized access and maintaining the confidentiality of data. While Quantum Safe Cryptography (QSC) has emerged as a top concern for the future, recent critical vulnerabilities like CVE-2024-3094 (CVSS 10) in XZ Utils and the newly disclosed CVE-2024-31497 (CVSS 8.8) in PuTTY are here and now – real and present dangers.

Luckily, the XZ Utils vulnerability was caught before widespread deployment into Linux stable release branches. However, by comparison, CVE-2024-31497 in PuTTY represents a much bigger threat than the aforementioned vulnerability in XZ Utils despite its lower CVSS score. Let’s examine the details to understand why and review Greenbone’s capabilities for detecting known cryptographic vulnerabilities.

A Primer On Public Key Authentication

Public-key infrastructure (PKI) is fundamental to a wide array of digital trust services such as Internet and enterprise LAN authentication, authorization, privacy, and application security. For public-key authentication both the client and server each need a pair of interconnected cryptographic keys: a private key, and a public key. The public keys are openly shared between the two connecting parties, while the private keys are used to digitally sign messages sent between them, and the associated public keys are used to decrypt those messages. This is how each party fundamentally verifies the other’s identity and how a single symmetric key is agreed upon for continuous encrypted communication with an optimal connection speed.

In the client-server model of communication, if the client’s private key is compromised, an attacker can potentially authenticate to any resources that honor it. If the server’s private key is compromised, an attacker can potentially spoof the server’s identity and conduct Adversary-in-the-Middle (AitM) attacks.

CVE-2024-31497 Affects All Versions of PuTTY

CVE-2024-31497 in the popular Windows SSH client PuTTY allows an attacker to recover a client’s NIST P-521 secret key by capturing and analyzing approximately 60 digital signatures due to biased ECDSA nonce generation. As of NIST SP-800-186 (2023) NIST ECDSA P-521 keys are still classified among those offering the highest cryptographic resilience and recommended for use in various applications, including SSL/TLS and Secure Shell (SSH) applications. So, a vulnerability in an application’s implementation of ECDSA P-521 authentication is a serious disservice to IT teams who have otherwise applied appropriately strong encryption standards.

In the case of CVE-2024-31497, the client’s digital signatures are subject to cryptanalysis attacks that can reveal the private key. While developing an exploit for CVE-2024-31497 is a highly skilled endeavor requiring expert cryptographers and computer engineers, a proof-of-concept (PoC) code has been released publically, indicating a high risk that CVE-2024-31497 may be actively exploited by even low skilled attackers in the near future.

Adversaries could capture a victim’s signatures by monitoring network traffic, but signatures may already be publicly available if PuTTY was used for signing commits of public GitHub repositories using NIST ECDSA P-521 keys. In other words, adversaries may be able to find enough information to compromise a private key from publicly accessible data, enabling supply-chain attacks on a victim’s software.

CVE-2024-31497 affects all versions of PuTTY after 0.68 (early 2017) before 0.81 and affects FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6, and potentially other products.

On the bright side, Greenbone is able to detect the various vulnerable versions of PuTTY with multiple Vulnerability Tests (VTs). Greenbone can identify Windows Registry Keys that indicate a vulnerable version of PuTTY is present on a scan target, and has additional tests for PuTTY for Linux [1][2][3], FileZilla [4][5], and versions of Citrix Hypervisor/XenServer [6] susceptible to CVE-2024-31497.

Greenbone Protects Against Known Encryption Flaws

Encryption flaws can be caused by weak cryptographic algorithms, misconfigurations, and flawed implementations of an otherwise strong encryption algorithm, such as the case of CVE-2024-31497. Greenbone includes over 6,500 separate Network Vulnerability Tests (NVTs) and Local Security Checks (LSCs) that can identify all types of cryptographic flaws. Some examples of cryptographic flaws that Greebone can detect include:

  • Application Specific Vulnerabilities: Greenbone can detect over 6500 OS and application specific encryption vulnerabilities for which CVEs have been published.
  • Lack Of Encryption: Unencrypted remote authentication or other data transfers, and even unencrypted local services pose a significant risk to sensitive data when attackers have gained an advantageous position such as the ability to monitor network traffic.
  • Support For Weak Encryption Algorithms: Weak encryption algorithms or cipher suites no longer provide strong assurances against cryptanalysis attacks. When they are in use, communications are at higher risk of data theft and an attacker may be able to forge communication to execute arbitrary commands on a victim’s system. Greenbone includes more than 1000 NVTs to detect remote services using weak encryption algorithms.
  • Non-Compliant TLS Settings And HTTPS Security Headers: Greenbone has NVTs to detect when HTTP Strict Transport Security (HSTS) is not configured and verify web-server TLS policy.

Summary

SSH public-key authentication is widely considered one of the most – if not the most secure remote access protocol, but two recent vulnerabilities have put this critical service in the spotlight. CVE-2024-3094, a trojan planted in XZ Utils found its way into some experimental Linux repositories before it’s discovery, and CVE-2024-31497 in PuTTY allows a cryptographic attack to extract a client’s private key if an attacker can obtain roughly 60 digital signatures.

Greenbone can detect emerging threats to encryption such as CVE-2024-31497 and includes over 6,500 other vulnerability tests to identify a range of encryption vulnerabilities.