Main Vulnerability Database SB2024041629

SB2024041629 - Fedora 40 update for filezilla, libfilezilla

Published: April 16, 2024 Updated: May 13, 2024

Security Bulletin ID SB2024041629

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cryptographic issues (CVE-ID: CVE-2024-31497)

The vulnerability allows a remote attacker to recover NIST P-521 private keys.

The vulnerability exists due to the PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. A remote attacker can recover the NIST P-521 private key using roughly 60 valid ECDSA signatures generated by any PuTTY component under the same key.

Note, if the key has been used to sign arbitrary data (e.g., git commits by forwarding Pageant to a development host), the publicly available signatures (e.g., on GitHub) can be used as well.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2024-ff9a2fb31c

SB2024041629 - Fedora 40 update for filezilla, libfilezilla

Breakdown by Severity

Description

Remediation

References

Please verify you're human