PuTTY SSH Client Vulnerability Enables Private Key Recovery
The widely-used PuTTY SSH client, along with other products like FileZilla, WinSCP, TortoiseGit, and TortoiseSVN, has been found vulnerable to a key recovery attack that could compromise NIST P-521 private keys. The flaw, assigned the CVE identifier CVE-2024-31497, allows attackers to recover private keys and forge signatures, potentially leading to unauthorized access to servers. The issue has been addressed in the latest versions of PuTTY, FileZilla, WinSCP, and TortoiseGit, with recommendations for users of TortoiseSVN to use the latest PuTTY release until a patch is available. Additionally, affected keys should be considered compromised and revoked.
