The developers of PuTTY have released an update to patch a critical vulnerability that can be exploited to recover secret keys.
PuTTY is an open source client program for SSH, Telnet, and other network protocols, enabling connections to remote servers and file transfers.
They noted that the required signatures can be obtained by a malicious server or from other sources, such as signed git commits.
PuTTY developers have provided an explanation on how a threat actor could recover a key and what they could use it for.
PuTTY versions 0.68 through 0.80 are affected, and PuTTY 0.81 fixes the vulnerability.
Several products that rely on an affected PuTTY version are vulnerable as well, including FileZilla, WinSCP, TortoiseGit and TortoiseSVN. Patches or mitigations are available for these products as well.
Affected keys must be revoked immediately, PuTTY developers urged users.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 16 Apr 2024 17:13:03 +0000