Executive summary

PuTTY, popular with IT administrators as an open-source terminal emulator that supports SSH, telnet and other network file transfer protocols, is currently being exploited due to a weakness in how it generates cryptographic private keys. The exploitation of the flaw allows an attacker to gain access to the user’s private keys and achieve unauthorised access to SSH servers, with the potential for supply chain attacks if exploited. Cryptographic private keys are typically used and verified by a public key on a server, to ensure the users identity and communicate securely.

What’s the risk to me or my business?

Organisations using a vulnerable version of PuTTY or other software that utilises a vulnerable version are at risk of compromise and unauthorised access to their SSH servers, impacting the confidentiality, integrity and availability of the organisation.

It has been reported that to perform the exploit successfully and calculate a user’s private key, an attacker will need 58 signatures, which could be gained from different sources including signed Git commits or an attacker-owned SSH server which the victim logs in to.

The vulnerability impacts versions 068 to 0.80 of PuTTY, with a fix available in version 0.81.

In addition, the following third-party software has been confirmed as vulnerable, however more are likely to be identified as the full extent of the vulnerability becomes apparent:

FileZilla 3.24.1 – 3.66.5 (fixed in 3.67.0)

WinSCP 5.9.5 – 6.3.2 (fixed in 6.3.3)

TortoiseGit 2.4.0.2 – 2.15.0 (fixed in 2.15.0.1)

TortoiseSVN 1.10.0 – 1.14.6  (users are advised to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release until a patch becomes available)

What can I do?

Black Arrow recommends upgrading to PuTTY version 0.81, or later, immediately, where available. Organisations should also check if they are using any tools which implement a vulnerable version of PuTTY, this could be achieved with a network vulnerability scan across affected information assets. In addition to the above, organisations should assess if they have any signed Git commits, as these may be used by attackers to gain the signatures required to exploit the vulnerability.

If your organisation has identified the use of any NIST p521 keys generated by a vulnerable version of the tool, they should be replaced by new secure keys immediately, and again following identification and applying updates to affected vulnerable versions.

Technical Summary

CVE-2024-31497- A vulnerability in PuTTY that can allow attackers to recover private keys. The impacted key type is is 521-bit ECDSA, also known as NIST p521.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Further information can be found here:

https://www.openwall.com/lists/oss-security/2024/04/15/6