Cryptographic Vulnerability in PuTTY

The PuTTy Project has released a security update to address a cryptographic vulnerability (CVE-2024-31497) in PuTTY.

Successful exploitation of this vulnerability could allow attackers with access to sufficient cryptography signatures to derive their corresponding NIST P-521 private key.

Cryptography signatures are digital signatures generated from cryptographic keys, and are used to verify the authenticity and integrity of the message, as well as the identity of the sender. These signatures may already be exposed if, for example, they are used for commit signing over SSH in a public Git service. Upon obtaining the private key, an attacker can forge signatures, log in to servers which the key is used for, or conduct supply-chain attacks on software maintained in Git.

PuTTY versions from 0.68 to 0.80 inclusive are affected by this vulnerability. Products which incorporate a vulnerable version of the software, namely FileZilla, WinSCP, TortoiseGit and TortoiseSVN, are also impacted by the vulnerability.

Users and administrators of PuTTY and affected products are advised to update to the latest versions immediately.

Additionally, all NIST P-521 client keys used with PuTTY should be considered compromised and be revoked immediately. This is because the vulnerability can still be exploited even after updating PuTTY, should the requisite pre-patch signatures be available to an attacker.