PuTTY Vulnerability Vuln-p521-bias

by
hubie
from SoylentNews on (#6M4GB)

upstart writes:

PuTTY vulnerability vuln-p521-bias:

summary: NIST P521 private keys are exposed by biased signature generation
class: vulnerability: This is a security vulnerability.
priority: high: This should be fixed in the next release.
absent-in: 0.67
present-in: 0.68 0.69 0.70 0.71 0.72 0.73 0.74 0.75 0.76 0.77 0.78 0.79 0.80
fixed-in: c193fe9848f50a88a4089aac647fecc31ae96d27 (0.81)

Every version of the PuTTY tools from 0.68 to 0.80 inclusive has acritical vulnerability in the code that generates signatures fromECDSA private keys which use the NIST P521 curve. (PuTTY, or Pageant,generates a signature from a key when using it to authenticate youto an SSH server.)

This vulnerability has been assigned CVE-2024-31497.It was discovered by Fabian Baumer and Marcus Brinkmann of theRuhr University Bochum; see their write-upon the oss-security mailing list.

The bad news: the effect of the vulnerability is to compromisethe private key. An attacker in possession of a few dozensigned messages and the public key has enough information to recoverthe private key, and then forge signatures as if they were from you,allowing them to (for instance) log in to any servers you use that keyfor. To obtain these signatures, an attacker need only brieflycompromise any server you use the key to authenticate to, ormomentarily gain access to a copy of Pageant holding the key.(However, these signatures are not exposed to passive eavesdroppersof SSH connections.)

Therefore, if you have a key of this type, we recommend you revoke itimmediately: remove the old public key from all OpenSSHauthorized_keys files, and the equivalent in other SSHservers, so that a signature from the compromised key has no value anymore. Then generate a new key pair to replace it.

(The problem is not with how the key was originally generated; itdoesn't matter whether it came from PuTTYgen or somewhere else. Whatmatters is whether it was ever used with PuTTY or Pageant.)

The good news: the only affected key type is 521-bit ECDSA.That is, a key that appears in Windows PuTTYgen withecdsa-sha2-nistp521 at the start of the 'Key fingerprint'box, or is described as 'NIST p521' when loaded into Windows Pageant,or has an id starting ecdsa-sha2-nistp521 in the SSHprotocol or the key file. Other sizes of ECDSA, and other keyalgorithms, are unaffected. In particular, Ed25519 is not affected.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments