Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack

2024-04-16 11:14

The maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys. The flaw has been assigned the CVE identifier CVE-2024-31497, with the discovery credited to researchers Fabian Bäumer and Marcus

News URL

https://thehackernews.com/2024/04/widely-used-putty-ssh-client-found.html

#attack #SSH #CVE-2024-31497

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2024-04-15	CVE-2024-31497	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in multiple products In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. network high complexity putty filezilla-project winscp tortoisegit tigris fedoraproject CWE-338	5.9

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Putty		1	4	10	7	4	25
SSH		7	2	8	4	1	15