Simon TathamApr 15, 2024

We've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.

If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.

Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.

This vulnerability has id CVE-2024-31497. Full information is at https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html

PuTTY vulnerability vuln-p521-bias

Show thread*sigh*Ber nard

@simontatham Given that that's 3 additional clicks in the PuTTYgen UI (ECDSA, Dropdown, nistp521) I can almost assure we won't have any in our enterprise.

Surprised to see that the default in PuTTYgen 0.81 is still RSA, and only 2048 bits. Ed25519 even works with RHEL 7 (EoL 2024-06-30).

Apr 16, 2024 at 10:49amWeb
Show threadSimon TathamApr 16, 2024

@brnrd I must admit I've always been nervous about switching the recommendation over to any form of DSA. _Mostly_ because of exactly this fragile k business, but not only that. Though Ed25519 is IMO an improvement on integer DSA and NIST ECDSA – it's easier to see its security argument.

Plus I half expect any day now the post-quantum Next Big Thing will be standardised for SSH and then we'll all have to switch again.

Bumping the default RSA size, though, fair enough – patch welcome!

Show thread*sigh*Ber nardApr 16, 2024

@simontatham seems like RedHat is really hanging on to an OpenSSH version that still defaults to RSA. OpenSSH's default has been Ed25519 for years now, yet is lacking Ed448 support. Was pleasantly surprised to see Ed448 in PuTTYgen!

Let me see if I can cook up a patch for PuTTYgen's default! Nice challenge.

Thanks for creating and maintaining PuTTY all those years. It's been an essential tool for me since the previous century. If it weren't for WSL, I'd surely still be rocking PuTTY!