Fedora 40 update for filezilla, libfilezilla

Published: 2024-04-16 | Updated: 2024-05-13

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2024-31497
CWE-ID	CWE-310
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Fedora Operating systems & Components / Operating system libfilezilla Operating systems & Components / Operating system package or component filezilla Operating systems & Components / Operating system package or component
Vendor	Fedoraproject

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Cryptographic issues

EUVDB-ID: #VU88542

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-31497

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to recover NIST P-521 private keys.

The vulnerability exists due to the PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. A remote attacker can recover the NIST P-521 private key using roughly 60 valid ECDSA signatures generated by any PuTTY component under the same key.

Note, if the key has been used to sign arbitrary data (e.g., git commits by forwarding Pageant to a development host), the publicly available signatures (e.g., on GitHub) can be used as well.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 40

libfilezilla: before 0.47.0-1.fc40

filezilla: before 3.67.0-1.fc40

CPE2.3

External links

https://bodhi.fedoraproject.org/updates/FEDORA-2024-ff9a2fb31c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.