iSecurity Social’s Post

TLDR: The vulnerability has been fixed in the latest versions of the affected products: PuTTY 0.81 FileZilla 3.67.0 WinSCP 6.3.3 TortoiseGit 2.15.1 TortoiseSVN 1.14.7 Users are strongly advised to update to these patched versions as soon as possible to mitigate the risk of private key compromise.

PuTTY Client Vulnerability The PuTTY client and all related components, including FileZilla, WinSCP, TortoiseGit, and TortoiseSVN, generate ECDSA nonces with the first 9 bits set to zero when using the NIST P-521 elliptic curve. This significant bias in the nonce generation allows attackers to recover the full private key after observing roughly 60 valid ECDSA signatures from the same key. The attack works by leveraging state-of-the-art lattice-based techniques to recover the private key from the biased nonces.

🚨 Attention Network & Server Administrators! 🚨 In light of recent concerns regarding PuTTY's security, it's crucial for us to explore robust alternatives that ensure our connections remain secure and efficient. PuTTY has been a staple tool for SSH and server administration, especially on Windows platforms. However, the digital landscape is ever-evolving, and so should our tools. Here's a curated list of top PuTTY alternatives that offer advanced features, enhanced security, and a better user experience: 1. **KiTTY** - A fork of PuTTY, KiTTY introduces a wealth of new features including a tabbed interface, session filtering, and portability. 2. **Solar-PuTTY** - Stands out with its tabbed interface, session management, and script execution capabilities, making it a powerful alternative. 3. **MobaXterm** - Offers a rich set of features including an X11 server, tabbed SSH client, network tools, and more. It's a comprehensive solution for remote computing. 4. **Bitvise SSH Client** - Known for its ease of use and comprehensive protocol support, Bitvise is a solid choice for Windows users. 5. **Xshell 6 Client** - Offers dynamic port forwarding and a tabbed interface, addressing one of PuTTY's major limitations. For a detailed comparison and more options, check out this comprehensive guide: [Best PuTTY Alternatives for SSH Clients](https://lnkd.in/g9AdYHDa). Let's stay ahead of the curve by adopting tools that not only meet our current needs but also anticipate future challenges. Share your experiences or your go-to SSH client in the comments below! #NetworkAdministration #ServerManagement #CyberSecurity #SSHClient #PuTTYAlternatives

**Admins, update PUTTY** 🛠️ - The vulnerability allows attackers to recover NIST P-521 private keys after observing about 60 ECDSA signatures. 🔐 - PuTTY generates biased ECDSA nonces with the first 9 bits set to zero when using the NIST P-521 curve. 🔄 - Attackers can exploit this bias to recover private keys using state-of-the-art techniques. 🕵️♂️ - Affected products include PuTTY, FileZilla, WinSCP, TortoiseGit, and TortoiseSVN. 📦 - Mitigations involve updating affected products to patched versions. 🔒 A severe vulnerability in PuTTY and related components has been discovered, enabling attackers to recover NIST P-521 private keys after observing approximately 60 ECDSA signatures. This vulnerability stems from biased nonce generation, affecting several products like PuTTY, FileZilla, WinSCP, TortoiseGit, and TortoiseSVN. Mitigations involve updating affected products to patched versions to reduce the risk of private key compromise. #CyberSecurity #PuTTYVulnerability

Some of our most popular utilities. Quick read but update!

🚨 [Cyber] Critical PuTTY Client Vulnerability Lets Attackers Recover Private Keys 👉 A severe vulnerability has been discovered in the PuTTY client and related components, allowing attackers to fully recover NIST P-521 private keys. The PuTTY client generates heavily biased ECDSA nonces... https://lnkd.in/gBuyehE7

PuTTY vulnerability can be exploited to recover private keys (CVE-2024-31497): A vulnerability (CVE-2024-31497) in PuTTY, a popular SSH and Telnet client, could allow attackers to recover NIST P-521 client keys due to the “heavily biased” ECDSA nonces (random values used once), researchers have discovered. “To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques,” Fabian Bäumer shared on the oss-sec mailing list. According to PuTTY maintainers, … More → The post PuTTY vulnerability can be exploited to recover private keys (CVE-2024-31497) appeared first on Help Net Security.

I came across this great video by Dan Barahona and Andrew Binder while working on a new book: https://lnkd.in/ebAkmRt2 It's three years old and every bit as relevant today. Was probably ahead of its time. The video goes through all the main API vulnerabilities and reviews some major breaches around 2021. In the video, Dan makes an important point: API vulnerabilities aren't like traditional web vulnerabilities. When we look at actual API breaches, they don't happen because of SQL injection, cross-site scripting, and so on. The most common cause is flaws in the business layer. Flaws in the way we design and implement user flows. For example, operations that expose way too much data, failure to enforce user-based access to restricted resources, exposing server-side properties in user input, etc. When APIs are designed like this, they're insecure by design. It doesn't take a sophisticated strategy to hack them, you can just abuse their existing functionality. To fix these problems, you have to tackle security early in your API journey. From the very moment you start thinking about user flows - that's when security comes in. #apis #apisecurity #cybersecurity .

A couple of noteworthy articles.... 1. For the more technical leaning, check if you have libcurl or curl installed in your environment. There's a patch for a critical vuln coming out tomorrow. 2. This is older news but has a nice infographic explaining how attackers are using proxies as part of their phishing campaigns to gather session cookies allowing the bypass of MFA and other authentication protections. https://lnkd.in/gKdnpzpk https://lnkd.in/gUwwn6K8

Heads Up! Critical PuTTY Vulnerability Exposes Private Keys (CVE-2024-31497) Hey everyone, there's a critical vulnerability in PuTTY that could compromise your security. If you use PuTTY for SSH connections, this post is for you! What's the issue? PuTTY versions 0.68 to 0.80 have a flaw (CVE-2024-31497) that makes it possible for attackers to steal your private keys, specifically those using the NIST P-521 curve with the ECDSA algorithm. With your private key, attackers could impersonate you and gain access to servers or accounts you normally connect to. How serious is this? This is a severe vulnerability. If you're using an affected version of PuTTY and an attacker exploits this flaw, they could gain complete control over your private keys. What should I do? Here's how to protect yourself: Update PuTTY: The good news is the PuTTY team has released a fix. Update to PuTTY version 0.81 or later as soon as possible. You can download it from the official PuTTY website. Generate new keys (recommended): Even if you update, it's recommended to generate new key pairs. This is because there's a chance your existing keys might already be compromised. Ideally, use keys with the Ed25519 algorithm, which is not affected by this vulnerability. Check other software: This vulnerability might also affect other software that relies on PuTTY for SSH connections, like FileZilla or WinSCP. Make sure to update those programs as well. https://lnkd.in/g7qEkfrJ #putty #securityadvisory #cybersecurity