Main Vulnerability Database SB2024041565

SB2024041565 - FileZilla update for PuTTY

Published: April 15, 2024 Updated: May 13, 2024

Security Bulletin ID SB2024041565

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cryptographic issues (CVE-ID: CVE-2024-31497)

The vulnerability allows a remote attacker to recover NIST P-521 private keys.

The vulnerability exists due to the PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. A remote attacker can recover the NIST P-521 private key using roughly 60 valid ECDSA signatures generated by any PuTTY component under the same key.

Note, if the key has been used to sign arbitrary data (e.g., git commits by forwarding Pageant to a development host), the publicly available signatures (e.g., on GitHub) can be used as well.

Remediation

Install update from vendor's website.

References

https://seclists.org/oss-sec/2024/q2/122