CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client

[Fabian Bäumer <fabian.baeumer () rub de>]

### Summary

The PuTTY client and all related components generate heavily biased 
ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 
bits of each ECDSA nonce are zero. This allows for full secret key 
recovery in roughly 60 signatures by using state-of-the-art techniques. 
These signatures can either be harvested by a malicious server 
(man-in-the-middle attacks are not possible given that clients do not 
transmit their signature in the clear) or from any other source, e.g. 
signed git commits through forwarded agents. The nonce generation for 
other curves is slightly biased as well. However, the bias is negligible 
and far from enough to perform lattice-based key recovery attacks (not 
considering cryptanalytical advancements).

### Affected Products

- PuTTY 0.68 - 0.80

The following (not necessarily complete) list of products bundle an 
affected PuTTY version and are therefore vulnerable as well:

- FileZilla 3.24.1 - 3.66.5
- WinSCP 5.9.5 - 6.3.2
- TortoiseGit 2.4.0.2 - 2.15.0
- TortoiseSVN 1.10.0 - 1.14.6

### Impact

The nonce bias allows for full secret key recovery of NIST P-521 keys 
after a malicious actor has seen roughly 60 valid ECDSA signatures 
generated by any PuTTY component under the same key. Luckily, client 
signatures are transmitted within the secure channel of SSH, requiring a 
malicious server to acquire such signatures. If the key has been used to 
sign arbitrary data (e.g., git commits by forwarding Pageant to a 
development host), the publicly available signatures (e.g., on GitHub) 
can be used as well.

All NIST P-521 client keys used with PuTTY must be considered 
compromised, given that the attack can be carried out even after the 
root cause has been fixed in the source code (assuming that ~60 
pre-patch signatures are available to an adversary).

### Mitigations

This vulnerability has been fixed in PuTTY 0.81, FileZilla 3.67.0, 
WinSCP 6.3.3, and TortoiseGit 2.15.0.1. Users of TortoiseSVN are advised 
to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release 
when accessing a SVN repository via SSH until a patch becomes available.

ECDSA NIST-P521 keys used with any vulnerable product / component should 
be considered compromised and consequently revoked by removing them from 
authorized_keys, GitHub, ...

### CVE

This vulnerability has been assigned CVE-2024-31497.

--
M. Sc. Fabian Bäumer

Chair for Network and Data Security
Ruhr University Bochum
Universitätsstr. 150, Building MC 4/145
44780 Bochum
Germany

Attachment: smime.p7s
Description: Kryptografische S/MIME-Signatur