Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Cryptographic Vulnerability in PuTTY

19 April 2024

The PuTTy Project has released a security update to address a cryptographic vulnerability (CVE-2024-31497) in PuTTY.

Successful exploitation of this vulnerability could allow attackers with access to sufficient cryptography signatures to derive their corresponding NIST P-521 private key.

Cryptography signatures are digital signatures generated from cryptographic keys, and are used to verify the authenticity and integrity of the message, as well as the identity of the sender. These signatures may already be exposed if, for example, they are used for commit signing over SSH in a public Git service. Upon obtaining the private key, an attacker can forge signatures, log in to servers which the key is used for, or conduct supply-chain attacks on software maintained in Git.

PuTTY versions from 0.68 to 0.80 inclusive are affected by this vulnerability. Products which incorporate a vulnerable version of the software, namely FileZilla, WinSCP, TortoiseGit and TortoiseSVN, are also impacted by the vulnerability.

Users and administrators of PuTTY and affected products are advised to update to the latest versions immediately.

Additionally, all NIST P-521 client keys used with PuTTY should be considered compromised and be revoked immediately. This is because the vulnerability can still be exploited even after updating PuTTY, should the requisite pre-patch signatures be available to an attacker.

More information is available here:

https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html

https://nvd.nist.gov/vuln/detail/CVE-2024-31497

https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/

Back to top