File Transfers Gone Bad, PuTTY And Others Spilling Private Keys
Update Your ‘Secure’ File Transfer Software
To ruin your day a new vulnerability has been found in a variety of file transfer software which will allow someone to recover your private key just by checking 60 of your public signatures. Those signatures can be acquired from a compromised computer, or just by reading your signed Git commits. The latter doesn’t require any special access, just patience and time.
The vulnerability applies to a variety of programs which include PuTTY, Filezilla, WinSCP, TortoiseGit and TortoiseSVN for sure, with others likely also vulnerable. You can check the exact versions as well as the official CVE at Bleeping Computer, or just update as there is a very good chance you don’t have the latest version. The flaw comes from the way these programs generate a temporary unique cryptographic number during connection, which is biased enough to spill your private key with enough examples.
Seeing as how these programs are not used by your average user, but by sysadmins and people transferring sensitive data, it is quite a bad one. Here’s hoping tomorrow doesn’t bring something worse!
A vulnerability tracked as CVE-2024-31497 in PuTTY 0.68 through 0.80 could potentially allow attackers with access to 60 cryptographic signatures to recover the private key used for their generation.
More Tech News From Around The Web
- Cisco warns of large-scale brute-force attacks against VPN services @ Bleeping Computer
- Linux Fu: Stupid Systemd Tricks @ Hackaday
- Samsung snags $6.4B in CHIPS Act funds for Texas fabs @ The Register
- YouTube’s Ad Blocker Crackdown Now Includes Third-Party Apps @ Slashdot
- Open source versus Microsoft: The new rebellion begins @ The Register
- MEGA 2.5GbE Switch Guide Update with 21 New Models Added @ ServeTheHome
