Cyber Resilience

CVE-2024-31497

Medium

Published: 15 April 2024

Published
15 April 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.2327 96.1th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-31497 is a medium-severity PRNG (CWE-338) vulnerability in Fedoraproject Fedora. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

In PuTTY versions 0.68 through 0.80, a flaw in ECDSA nonce generation for NIST P-521 keys enables recovery of the private key from roughly 60 signatures. The same biased-nonce issue is present in FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6. The vulnerability is tracked as CWE-338 and carries a CVSS 3.1 score of 5.9.

An attacker who obtains a modest set of signatures—either from publicly visible Git commits created through Pageant agent forwarding or by operating a malicious SSH server the victim connects to—can extract the P-521 private key. Once the key is recovered, the attacker can impersonate the victim against other services that accept the same key, including additional Git repositories where supply-chain modifications become possible.

Advisories and vendor notices direct users to upgrade PuTTY to 0.81 or later and to apply the corresponding fixed releases of the affected client tools. The references also highlight that previously collected signatures may already be sufficient for key recovery, so retrospective rotation of P-521 keys is recommended even if no further vulnerable versions are used.

The EPSS score sits at 0.2327 with no material upward movement after disclosure.

EU & UK References

Vulnerability details

In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary…

more

is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1589.001 Credentials Reconnaissance
Adversaries may gather credentials that can be used during targeting.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Biased ECDSA nonces enable private key recovery from ~60 signatures collected via malicious SSH servers or public git commits, facilitating exploitation for credential access (T1212), reconnaissance to gather victim credentials (T1589.001), and supply chain compromise through git repository impersonation (T1195.002).

Affected Assets

putty
putty
0.68 — 0.81
filezilla-project
filezilla client
≤ 3.67.0
winscp
winscp
≤ 6.3.3
tortoisegit
tortoisegit
≤ 2.15.0.1
tigris
tortoisesvn
≤ 1.14.6
fedoraproject
fedora
38, 39, 40

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-338

Security associations share details on cryptographically weak PRNGs, helping avoid their implementation in security-critical functions.

addresses: CWE-338

Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators.

References