CVE-2024-31497

Name of the Vulnerable Software and Affected Versions PuTTY versions 0.68 through 0.80 FileZilla versions 3.24.1 through 3.66.5 WinSCP versions 5.9.5 through 6.3.2 TortoiseGit versions 2.4.0.2 through 2.15.0 TortoiseSVN versions 1.10.0 through 1.14.6

Description The issue is related to biased ECDSA nonce generation in PuTTY, allowing an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in scenarios where an adversary can read messages signed by PuTTY or Pageant, such as when messages are stored in a public Git service that supports SSH for commit signing. The vulnerability can be exploited to compromise private keys, potentially leading to unauthorized access to servers and services. In some cases, this could enable supply-chain attacks on software maintained in Git.

Recommendations For PuTTY versions 0.68 through 0.80, update to version 0.81 or later to fix the security issue. For FileZilla versions 3.24.1 through 3.66.5, update to version 3.67.0 or later. For WinSCP versions 5.9.5 through 6.3.2, update to version 6.3.3 or later. For TortoiseGit versions 2.4.0.2 through 2.15.0, update to version 2.15.0.1 or later. For TortoiseSVN versions 1.10.0 through 1.14.6, apply the available workaround or wait for a patch.