hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.

Administered by:

Server stats:

10K
active users

Simon Tatham

We've released version 0.81. This is a SECURITY UPDATE, fixing a in ECDSA signing for .

If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.

Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.

This vulnerability has id CVE-2024-31497. Full information is at chiark.greenend.org.uk/~sgtath

www.chiark.greenend.org.ukPuTTY vulnerability vuln-p521-bias

@simontatham Hi and thanks for the quick bugfix. From what I know, ecdsa-sha2-nistp521 has never been the default key type in Puttygen, so "normal" keys (mostly ssh-rsa and ssh-ed25519) should be fine?

@simontatham Thank you for your continued development of this application, it's essential and I've relied upon it. 🙇‍♀️🙏💖

@simontatham superb write up and repair. Y’all were making safe “k” before making safe “k” was cool. I’m just glad we have folks still around to know how computers work.

Thanks team!!

@simontatham Used such a key with PuTTY, or created such a key with PuTTY?

@simontatham Oh, I see it only has to be used.

Thanks for the effort in fixing this.

@virtuous_sloth @simontatham from the linked writeup:
"The problem is not with how the key was originally generated; it doesn't matter whether it came from PuTTYgen or somewhere else. What matters is whether it was ever used with PuTTY or Pageant."

@simontatham oh!! Wow!! Thank you for putty! I dont really admin or anything, but ive used it to get into the back end of my MUD for a lifetime and have never felt remotely flustered or confused or held back by the client itself. Just a really good program & i thank your team for it!!

@simontatham @indigoparadox If I understand from skimming the link, this solely affects PuTTY (on Windows) and /not/ other implementations of SSH, right?

@lispi314 @simontatham The issue is solely with PuTTY, but any key that's been used with PuTTY can be assumed compromised (even if generated elsewhere) due to the PuTTY handling it making the private key retrievable based on the encrypted traffic.

@lispi314 @indigoparadox PuTTY on any platform, actually. PuTTY can run on Unix too, though it's less popular there. And its ECDSA signing code is the same wherever it's running.

Independent implementations such as OpenSSH aren't affected, that's correct.

@simontatham @lispi314 @indigoparadox Am I paranoid when I connect this vulnerability with the xz-backdoor? To get the private keys an attacker needs access to ssh-servers, which the xz-backdoor could have provided. So it's imaginable that the group behind the backdoor found the ecdsa-sha2-nistp521 problem and thought: "how make the most of it"?

@agitatra @lispi314 @indigoparadox interesting thought – hadn't occurred to me!

Off the top of my head I'd guess the number of P521 users is _relatively_ small. As another commenter pointed out, it's never been PuTTY's default; and generally the NIST curves seem to have mostly gone out of fashion these days, in favour of Ed25519.

So I doubt this was _all_ the xz backdoor actors were after. It doesn't seem worth all the effort by itself. But it could have been one thing on their shopping list.

@simontatham so sad to hear this news, but assured by the open information!

Thanks for your long lasting and hard work on Putty and other projects.

@simontatham Given that that's 3 additional clicks in the PuTTYgen UI (ECDSA, Dropdown, nistp521) I can almost assure we won't have any in our enterprise.

Surprised to see that the default in PuTTYgen 0.81 is still RSA, and only 2048 bits. Ed25519 even works with RHEL 7 (EoL 2024-06-30).

@brnrd I must admit I've always been nervous about switching the recommendation over to any form of DSA. _Mostly_ because of exactly this fragile k business, but not only that. Though Ed25519 is IMO an improvement on integer DSA and NIST ECDSA – it's easier to see its security argument.

Plus I half expect any day now the post-quantum Next Big Thing will be standardised for SSH and then we'll all have to switch again.

Bumping the default RSA size, though, fair enough – patch welcome!

@simontatham seems like RedHat is really hanging on to an OpenSSH version that still defaults to RSA. OpenSSH's default has been Ed25519 for years now, yet is lacking Ed448 support. Was pleasantly surprised to see Ed448 in PuTTYgen!

Let me see if I can cook up a patch for PuTTYgen's default! Nice challenge.

Thanks for creating and maintaining PuTTY all those years. It's been an essential tool for me since the previous century. If it weren't for WSL, I'd surely still be rocking PuTTY!

@simontatham Also thanks for posting these here. It really helps spread the word!

@simontatham is ArcosPutty 75.1.8 vulnerable to CVE-2024-31497?

@anonymous236 I'm sorry to say that I don't know anything about ArcosPutty or its version numbers. You'd have to ask its own maintainers which version of upstream PuTTY it's based on, or what fixes they've applied.