Main Vulnerability Database Exploits ID:9783 - Exploit for Cryptographic issues in PuTTY - CVE-2024-31497

ID:9783 - Exploit for Cryptographic issues in PuTTY - CVE-2024-31497

Published: May 13, 2024

Vulnerability identifier: #VU88542

Vulnerability risk: Medium

CVE-ID: CVE-2024-31497

CWE-ID: CWE-310

Exploitation vector: Remote access

Vulnerable software:
PuTTY

Link to public exploit:

https://github.com/HugoBond/CVE-2024-31497-POC

Vulnerability description

The vulnerability allows a remote attacker to recover NIST P-521 private keys.

The vulnerability exists due to the PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. A remote attacker can recover the NIST P-521 private key using roughly 60 valid ECDSA signatures generated by any PuTTY component under the same key.

Note, if the key has been used to sign arbitrary data (e.g., git commits by forwarding Pageant to a development host), the publicly available signatures (e.g., on GitHub) can be used as well.

Remediation

Install updates from vendor's website.

ID:9783 - Exploit for Cryptographic issues in PuTTY - CVE-2024-31497

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human