Vulnerability Alert
CVE-2024-31497 Full Recovery of ECDSA Private Keys Possible
Severity: Medium
CVE-2024-31497 Full Recovery of ECDSA Private Keys Possible
Bravura Security has been alerted to a vulnerability that affects certain versions of the PuTTY Secure Shell (SSH) library, potentially leading to the full recovery of ECDSA private keys.
Issue
In PuTTY versions 0.68 to 0.80, a flaw in the ECDSA nonce generation process allows an attacker to recover the NIST P-521 secret key after observing a limited number of signatures. This vulnerability specifically impacts users who generate ECDSA keys with these versions for SSH authentication. If an attacker operates an SSH server to which the victim connects using the compromised key, they can exploit this flaw, which may also affect SSH connections to other services.
Affected Versions
This vulnerability is present in PuTTY versions 0.68 through 0.80, and it affects Bravura Security Fabric versions 12.2.x (Connector Pack 4.1.x) and higher when ECDSA keys are used for SSH authentication on Linux, Solaris, AIX, or HP-UX systems. This issue has been ranked as a medium-level issue (6.1) for the CVE scoring.
Remediations and Mitigations
If your Bravura Security Fabric solution is affected, please check this knowledge base article for more information. The article contains steps to identify if you are affected by this security advisory and steps to take on your system to remediate the issue. The steps will not require a patch from Bravura Security.
Questions
Please contact support@bravurasecurity.com if you have further questions on this topic.
Acknowledgments
We are committed to ensuring the security of our users and recommend immediate action to address this vulnerability. Bravura Security thanks the community and researchers who contribute to the security of our software.