CVE-2024-31497
Published: 15 April 2024
Summary
CVE-2024-31497 is a medium-severity PRNG (CWE-338) vulnerability in Fedoraproject Fedora. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
In PuTTY versions 0.68 through 0.80, a flaw in ECDSA nonce generation for NIST P-521 keys enables recovery of the private key from roughly 60 signatures. The same biased-nonce issue is present in FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6. The vulnerability is tracked as CWE-338 and carries a CVSS 3.1 score of 5.9.
An attacker who obtains a modest set of signatures—either from publicly visible Git commits created through Pageant agent forwarding or by operating a malicious SSH server the victim connects to—can extract the P-521 private key. Once the key is recovered, the attacker can impersonate the victim against other services that accept the same key, including additional Git repositories where supply-chain modifications become possible.
Advisories and vendor notices direct users to upgrade PuTTY to 0.81 or later and to apply the corresponding fixed releases of the affected client tools. The references also highlight that previously collected signatures may already be sufficient for key recovery, so retrospective rotation of P-521 keys is recommended even if no further vulnerable versions are used.
The EPSS score sits at 0.2327 with no material upward movement after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-29377
Vulnerability details
In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary…
more
is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Biased ECDSA nonces enable private key recovery from ~60 signatures collected via malicious SSH servers or public git commits, facilitating exploitation for credential access (T1212), reconnaissance to gather victim credentials (T1589.001), and supply chain compromise through git repository impersonation (T1195.002).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security associations share details on cryptographically weak PRNGs, helping avoid their implementation in security-critical functions.
Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators.