Posted 4/16/2024, 3:01:57 PM
PuTTY Vulnerability Could Allow Attackers to Steal Private Keys
- PuTTY vulnerability (CVE-2024-31497) could allow attackers to recover private keys using 60 cryptographic signatures
- Vulnerability caused by bias in way PuTTY generates encryption nonces for NIST P-521 curve
- Attakers can harvest signatures by compromising SSH server or from public Git commits
- Private key recovery allows unauthorized SSH server access or signing Git commits as developer
- Vulnerability fixed in PuTTY 0.81; other software like FileZilla, WinSCP, TortoiseGit, TortoiseSVN also impacted
