CVE-2024-31497 is a vulnerability in PuTTY versions 0.68 through 0.80. PuTTY is a popular open-source terminal emulator, serial console, and network file transfer application that supports SSH, Telnet, SCP, and SFTP. IT professionals and Engineers use PuTTY to remotely access and manage servers and other networked devices from a Windows-based client. This new CVE (Common Vulnerabilities and Exposures) potentially allows attackers to recover the encrypted private key.
How is this vulnerability exploited? Currently, there are two methods, with one requiring earlier access to the victim’s SSH server. In the first method, a digital signature is created using a user’s private key and verified by the corresponding public key on the server, ensuring the user’s identity and communications security. If an attacker has gained access to an SSH server that unsuspecting users are connecting to with PuTTY, they can collect all the signatures over time to calculate the target’s private key.
There is a second way to exploit this without the need to compromise one of the SSH servers in advance, such as the use of SSH keys for signing Git commits. A common setup involves using Pageant, the ssh-agent of PuTTY, locally and sending the agent to a development host. The attacker configures Git to use OpenSSH to sign Git commits with the SSH key provided by Pageant. The signature is then generated by Pageant, making it susceptible to private key recovery.
Fortunately, PuTTY’s developers have fixed the vulnerability in version 0.81. However, PuTTY’s code has been used in several other popular open-source file transfer applications, so these apps will also need to be updated. Below is software that uses PuTTY that is confirmed as affected.
- FileZilla 3.24.1 – 3.66.5 (fixed in 3.67.0)
- WinSCP 5.9.5 – 6.3.2 (fixed in 6.3.3)
- TortoiseGit 2.4.0.2 – 2.15.0 (fixed in 2.15.0.1)
- TortoiseSVN 1.10.0 – 1.14.6 (mitigation possible by configuring TortoiseSVN to use Plink from the latest PuTTY 0.81 release)
Cerium now offers Vulnerability Management as a part of our Cerium Select MSSP service. Utilizing the power of Rapid7, we can assess and manage vulnerability risk in your network, so you don’t have to. Contact us for more information.
