CVE-2024-31497: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-31497) affects PuTTY versions 0.68 through 0.80, where biased ECDSA nonce generation allows attackers to recover a user's NIST P-521 secret key via a quick attack requiring approximately 60 signatures. The vulnerability also impacts several other software packages that bundle PuTTY, including FileZilla (3.24.1 - 3.66.5), WinSCP (5.9.5 - 6.3.2), TortoiseGit (2.4.0.2 - 2.15.0), and TortoiseSVN (1.10.0 - 1.14.6). The issue was discovered by Fabian Bäumer and Marcus Brinkmann from Ruhr University Bochum (OpenWall, PuTTY Advisory).

The vulnerability stems from PuTTY's deterministic nonce generation method using SHA-512 hash output reduced modulo q. For the NIST P-521 curve, where q has 521 bits, reducing a 512-bit number results in the first 9 bits always being zero, introducing a significant bias. This bias allows attackers to employ lattice-based techniques to recover the private key after collecting approximately 60 signatures. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.9 (Medium) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

An attacker who obtains sufficient signatures can recover the victim's private key, allowing unauthorized access to any servers where that key is used for authentication. This is particularly concerning in scenarios where signatures are publicly available, such as signed Git commits, or where an attacker controls an SSH server the victim connects to. The compromised key could enable supply-chain attacks on software maintained in Git (PuTTY Advisory, BleepingComputer).

Users should immediately upgrade to fixed versions: PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, or TortoiseGit 2.15.0.1. For TortoiseSVN users, configure it to use Plink from PuTTY 0.81 when accessing SVN repositories via SSH. All NIST P-521 (ecdsa-sha2-nistp521) keys used with affected versions should be considered compromised and must be revoked by removing them from authorized_keys files and other locations. Generate new key pairs to replace the compromised ones. Note that other key types, including Ed25519 and other ECDSA curves, are not affected (PuTTY Advisory).

The security community has actively discussed this vulnerability on various platforms. Security researchers have praised Simon Tatham's clear and forthcoming disclosure of the vulnerability without any attempt to downplay its severity. The vulnerability has garnered significant attention due to its potential impact on software supply chains and the widespread use of affected tools (HelpNet Security).