Critical PuTTY Vulnerability Allows Secret Key Recovery

The developers of PuTTY have released an update to patch a critical vulnerability that can be exploited to recover secret keys. 
PuTTY 的开发人员发布了一个更新，以修补一个可用于恢复密钥的关键漏洞。

PuTTY is an open source client program for SSH, Telnet, and other network protocols, enabling connections to remote servers and file transfers. 
PuTTY 是一个用于 SSH、Telnet 和其他网络协议的开源客户端程序，支持连接到远程服务器和文件传输。

Two researchers from Ruhr University Bochum in Germany discovered that the client and related components “generate heavily biased ECDSA nonces in the case of NIST P-521”, which enables full secret key recovery. The vulnerability is tracked as CVE-2024-31497.
来自德国波鸿鲁尔大学的两名研究人员发现，客户端和相关组件“在 NIST P-521 的情况下生成严重偏差的 ECDSA 随机数”，从而实现完整的密钥恢复。该漏洞被跟踪为 CVE-2024-31497。

“The nonce bias allows for full secret key recovery of NIST P-521 keys after a malicious actor has seen roughly 60 valid ECDSA signatures generated by any PuTTY component under the same key,” the researchers explained.
研究人员解释说：“在恶意行为者看到任何PuTTY组件在同一密钥下生成的大约60个有效ECDSA签名后，随机数偏差允许对NIST P-521密钥进行完全的密钥恢复。

They noted that the required signatures can be obtained by a malicious server or from other sources, such as signed git commits.
他们指出，所需的签名可以由恶意服务器或其他来源获取，例如签名的 git 提交。

“All NIST P-521 client keys used with PuTTY must be considered compromised, given that the attack can be carried out even after the root cause has been fixed in the source code (assuming that ~60 pre-patch signatures are available to an adversary),” the researchers warned.
研究人员警告说：“所有与PuTTY一起使用的NIST P-521客户端密钥都必须被视为已泄露，因为即使在源代码中修复了根本原因（假设对手可以使用~60个预补丁签名）也可以进行攻击。

PuTTY developers have provided an explanation on how a threat actor could recover a key and what they could use it for.
PuTTY 开发人员提供了有关威胁参与者如何恢复密钥以及他们可以将其用于什么目的的解释。

“An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for,” they explained. “To obtain these signatures, an attacker need only briefly compromise any server you use the key to authenticate to, or momentarily gain access to a copy of Pageant holding the key.”
他们解释说：“拥有几十条签名消息和公钥的攻击者有足够的信息来恢复私钥，然后伪造签名，就好像它们来自你一样，允许他们（例如）登录到你使用该密钥的任何服务器。“要获得这些签名，攻击者只需短暂破坏您使用密钥进行身份验证的任何服务器，或者暂时获得对持有密钥的 Pageant 副本的访问权限。”

PuTTY versions 0.68 through 0.80 are affected, and PuTTY 0.81 fixes the vulnerability. Several products that rely on an affected PuTTY version are vulnerable as well, including FileZilla, WinSCP, TortoiseGit and TortoiseSVN. Patches or mitigations are available for these products as well. 
PuTTY 版本 0.68 至 0.80 受到影响，PuTTY 0.81 修复了该漏洞。一些依赖于受影响的 PuTTY 版本的产品也容易受到攻击，包括 FileZilla、WinSCP、TortoiseGit 和 TortoiseSVN。这些产品也提供了修补程序或缓解措施。

Affected keys must be revoked immediately, PuTTY developers urged users. 
受影响的密钥必须立即撤销，PuTTY 开发人员敦促用户。

An entry for CVE-2024-31497 in NIST’s National Vulnerability Database warns that the vulnerability could allow supply chain attacks.
NIST 国家漏洞数据库中 CVE-2024-31497 的条目警告说，该漏洞可能允许供应链攻击。

*updated with information from the NIST NVD advisory
*更新了 NIST NVD 公告中的信息

Related: Multiple Vulnerabilities Patched in PuTTY and LibSSH2
相关新闻： PuTTY 和 LibSSH2 中修补的多个漏洞

Related: JumpCloud Says All API Keys Invalidated to Protect Customers
相关新闻： JumpCloud 表示所有 API 密钥都失效以保护客户

Related: Tech Giants Form Post-Quantum Cryptography Alliance
相关新闻：科技巨头组建后量子密码学联盟