Last updated Apr 19, 2024 8:57 AM
PuTTY vulnerability
Please take relevant action if you have any of the following on your personal and/or lab computer(s):
- If installed, please update: PuTTY, FileZilla, WinSCP, TortoiseGIT, TortoiseSVN. More detailed information below, located under "SOFTWARE IMPACTED".
- If you have specifically generated ECDSA keys, please replace NIST P521 private keys that have been used by PuTTY. Important note: this is not the default setting for key generation with PuTTY and this section is likely irrelevant to most users. More detailed information below, located under "NIST P521 KEYS"
SOFTWARE IMPACTED:
If you have PuTTY installed on your computer, please update your software to version 0.81
Additionally, this vulnerability may be a concern for other software that utilizes PuTTY's ssh. This includes, but may not be limited to, the following: FileZilla, WinSCP, TortoiseGIT, TortoiseSVN. If these are installed on your computer, please update these software as well to the following versions:
FileZilla version 3.67.0
WinSCP version 6.3.3
TortoiseGIT version 2.15.0 (Incremental security fix for PuTTY CVE-2024-31497)
TortoiseSVN version 1.14.7
NIST P521 KEYS:
Private keys with the NIST P521-bit curve that have been used by PuTTY should be considered unsafe and replaced by new and secure keys. As recommended by PuTTY, please revoke these keys by removing the old public key from all relevant authorized_key files. Once removed from authorized_keys, please generate a new key.
More information from NIST:
https://nvd.nist.gov/vuln/detail/CVE-2024-31497
TL;DR ACTION ITEMS:
1. Upgrade all relevant software listed: PuTTY, FileZilla, WinSCP, TortoiseGIT, TortoiseSVN
2. Existing ECDSA P521 private keys: revoke old keys and generate new, secure keys
3. Share this information with colleagues and lab mates!