Email or username:

Password:

Forgot your password?
Simon Tatham

We've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.

If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.

Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.

This vulnerability has id CVE-2024-31497. Full information is at chiark.greenend.org.uk/~sgtath

13 comments
Cloud Manul

@simontatham Hi and thanks for the quick bugfix. From what I know, ecdsa-sha2-nistp521 has never been the default key type in Puttygen, so "normal" keys (mostly ssh-rsa and ssh-ed25519) should be fine?

Filene

@simontatham Thank you for your continued development of this application, it's essential and I've relied upon it. πŸ™‡β€β™€οΈπŸ™πŸ’–

James Cuff

@simontatham superb write up and repair. Y’all were making safe β€œk” before making safe β€œk” was cool. I’m just glad we have folks still around to know how computers work.

Thanks team!!

Bruce Elrick

@simontatham Used such a key with PuTTY, or created such a key with PuTTY?

Bruce Elrick

@simontatham Oh, I see it only has to be used.

Thanks for the effort in fixing this.

Keeper of the orb

@simontatham oh!! Wow!! Thank you for putty! I dont really admin or anything, but ive used it to get into the back end of my MUD for a lifetime and have never felt remotely flustered or confused or held back by the client itself. Just a really good program & i thank your team for it!!

SnoopJ

@jalcine it's correct as written, but it's easy to mistake it for a typo if you're expecting powers of 2 (as with key lengths for non-elliptic-curve cryptography)

Simon Tatham

@jalcine no, 521 is right! NIST elliptic curve keys come in three fixed sizes, and one of them _isn't_ the obvious power of 2.

In fact, the difference between 521 and 512 is exactly the cause of the problem – those 9 extra bits are the amount of information that PuTTY was accidentally leaking about the private key per signature.

LisPi
@simontatham @indigoparadox If I understand from skimming the link, this solely affects PuTTY (on Windows) and /not/ other implementations of SSH, right?
Henrik Kramselund - kramse

@simontatham so sad to hear this news, but assured by the open information!

Thanks for your long lasting and hard work on Putty and other projects.

Go Up