Severity | CVE Code | Affected Component | Sources |
---|---|---|---|
High | CVE-2024-31497 | Every version of the PuTTY tools from 0.68 to 0.80 (Os: Windows) | chiark.greenend.org.uk |
Summary
The Telnet/ssh client PuTTY
versions 0.68 to 0.80, released before update 0.81, allows an attacker to recover the user’s private key!
This vulnerability is dangerous in scenarios where an attacker can read messages signed with PuTTY
or Pageant
, as a set of signed messages can be publicly available, for example, if they are stored on a public Git
service that uses SSH
to sign commits.
This means that an attacker may already have enough information to compromise a victim’s private key, even if vulnerable versions of PuTTY
are no longer in use.
The vulnerability lies in the fact that after compromising the key, an attacker can carry out attacks on the software supply chain stored in Git
.
Moreover, there is a second, independent scenario involving an attacker controlling an SSH
server to which the victim is authenticating, even if that server is not fully trusted by the victim.
The operator of such a server can derive the victim’s private key and use it for unauthorized access to other services, including Git
services, allowing the attacker to carry out supply chain attacks.
- The vulnerability affects not only PuTTY but also other popular tools such as FileZilla before version 3.67.0, WinSCP before version 6.3.3, TortoiseGit before version 2.15.0.1, and TortoiseSVN before version 1.14.6.
Mitigation
This vulnerability has been fixed in
PuTTY
0.81Users of
TortoiseSVN
are advised to configureTortoiseSVN
to use Plink from the latestPuTTY
0.81 release when accessing a SVN repository viaSSH
until a patch becomes available.
Read more about the technical details here