VRDA Feed by JPCERT/CC
  Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis
[ about VRDA Feed | JPCERT/CC



 
Vulnerability Analysis Result (Revision No : 1) [ Download XML
JVNDB-2024-003103     ( CVE-2024-31497 )
PuTTY SSH クライアントの ECDSA 署名処理に脆弱性
https://jvndb.jvn.jp/ja/contents/2024/JVNDB-2024-003103.html

Original

PuTTY SSH クライアント実装には、ECDSA 署名処理の実装に脆弱性があります。 NIST P521 楕円曲線による ECDSA 秘密鍵を使っている場合、署名を行う際に生成する nonce に偏りがあります (CVE-2024-31497、CWE-1240)。 その結果、ごく少数の署名データから秘密鍵を特定される可能性があります。

Translation   (Show)





About This Analysis Information
Analysis Information Provider:
JVN iPedia
First Published:
2024-04-19
Source Information Category:
Advisory, Alert
Last Updated:
2024-04-19




Affected Product Tags
cpe:/a:simon_tatham:putty
 


Vulnerability Analysis Results
[Access Vector]  [?]
Undefined [?]

Local [?]
Adjacent Network [?]
Network [?]
[Access Complexit]  [?]
Undefined [?]

High [?]
Medium [?]
Low [?]
[Authentication]  [?]
Undefined [?]

Multiple [?]
Single [?]
None [?]
[Confidentiality Impact]  [?]
Undefined [?]

None [?]
Partial [?]
Complete [?]
[Integrity Impact]  [?]
Undefined [?]

None [?]
Partial [?]
Complete [?]
[Availability Impact]  [?]
Undefined [?]

None [?]
Partial [?]
Complete [?]
Alternatives
Common Vulnerabilities and Exposures (CVE) CVE-2024-31497








References
FileZilla [Revision 11142] Address PuTTY ECDSA NIST P521 private key recovery




JVN JVNVU#91264077




JVNDB CWE-1240 危険な実装による暗号プリミティブの使用




PuTTY PuTTY vulnerability vuln-p521-bias




TortoiseGit [Commit e9c1f3f4] Update PuTTY to 0.81




TortoiseSVN [Commit r29685] update to PuTTY 0.81




winscp Issue 2285 - NIST P521 private keys are exposed by biased signature generation




関連文書 oss-security mailing list (CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client)




関連文書 RFC6979 (Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA))




Copyright © 2024 JPCERT/CC All Rights Reserved.