Critical PuTTY Vulnerability Exposes Private Keys - 20240419003¶
Overview¶
A severe security flaw has been discovered in the popular SSH client PuTTY (versions 0.68 to 0.80), impacting a wide range of software including FileZilla, WinSCP, TortoiseGit, and TortoiseSVN. This defect drastically weakens private keys used in the ECDSA algorithm with the NIST P-521 curve, leaving them easily recoverable by attackers.
What is vulnerable?¶
| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated |
|---|---|---|---|---|---|
| CVE-2024-31497 | Medium | 5.9 | versions 0.68 through 0.80, before 0.81 | This issue may, in some scenarios, allow an attacker who controls a guest VM to determine the SSH private key of a XenCenter administrator who uses that key to authenticate to that guest VM while using an SSH connection. | 10 May, 2024 |
What has been observed?¶
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month (refer Patch Management):