April 16, 2024 at 12:54PM
PuTTY developers released an update to patch a critical vulnerability allowing recovery of secret keys. The vulnerability affects versions 0.68 through 0.80, with PuTTY 0.81 fixing the issue. Affected keys, including those used by products like FileZilla and WinSCP, must be revoked immediately. Researchers warned of the potential for key recovery and urged caution.
The recent meeting notes indicate that the developers of PuTTY have released an update to address a critical vulnerability discovered by researchers at Ruhr University Bochum in Germany. The vulnerability, tracked as CVE-2024-31497, allows for the full recovery of NIST P-521 client keys after approximately 60 valid ECDSA signatures have been seen by a malicious actor. This recovery could enable the forging of signatures and potentially unauthorized access to servers.
The affected PuTTY versions are 0.68 through 0.80, and version 0.81 has been released to fix the vulnerability. Additionally, it was noted that several products relying on affected PuTTY versions, such as FileZilla, WinSCP, TortoiseGit, and TortoiseSVN, are also vulnerable. Patches or mitigations are available for these products.
The PuTTY developers have emphasized the immediate revocation of affected keys and highlighted the potential repercussions if these keys are not revoked promptly. It was also mentioned that an explanation is provided on how a threat actor could recover a key and what they could use it for.
The meeting notes further reference that multiple vulnerabilities have been patched in PuTTY and LibSSH2, and that various tech giants have formed a post-quantum cryptography alliance.
If you need more specific details or action items from these meeting notes, feel free to let me know.