'A critical security vulnerability in PuTTY, a very popular software for secure terminal access to remote servers, has been discovered. This vulnerability could put the private keys of many users at risk. Cataloged as CVE-2024-31497, the vulnerability affects PuTTY version numbers between 0.68 and 0.80. So, if you have been using PuTTY during this time, it is important to be aware of what this means for your data security. Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum found the vulnerability. It concerns how PuTTY forms signatures from the ECDSA private keys on the NIST P521 curve. The vulnerability with PuTTY is that it creates a component of the signature called ‘nonce’ during the generation process. This randomly generated number can be used once in a cryptographic communication, thus ensuring that old communications cannot be reused in replay attacks. However, PuTTY used a deterministic method to generate nonces due to the lack of a high-quality random number generator in early Windows systems. This deterministic method was biased for the P521 curve, which made the private key recovery possible. Simply put, an attacker who gets hold of multiple signed messages can potentially recover your private key due to a specific bias in the signature creation process. This would allow them to forge signatures and access any servers where you’ve used this key.' -- source: https://linuxiac.com/high-priority-putty-vulnerability-found/ Cheers, Peter -- My Open Source Blog - http://open.fracpete.org