I-PuTTY, umxhasi we-SSH odumileyo kwiqonga leWindows, unomngcipheko onobungozi (CVE-2024-31497) ovumela ukuba isitshixo sabucala somsebenzisi senziwe ngokutsha kusetyenziswa i-NIST P-521 Elliptic Curve ECDSA algorithm (ecdsa-sha2-nistp521) . Ukukhetha isitshixo sabucala, kwanele ukuhlalutya malunga nama-60 amasayino edijithali aveliswa sisitshixo esiyingxaki.
Ubuthathaka bubonakala buqala kwinguqulo yePuTTY 0.68 kwaye ikwachaphazela iimveliso ezibandakanya iinguqulelo ezisengozini yePuTTY, umzekelo, iFayileZilla (3.24.1 - 3.66.5), WinSCP (5.9.5 - 6.3.2), TortoiseGit (2.4.0.2 - 2.15.0) kunye noTortoiseSVN (1.10.0 - 1.14.6). Ingxaki yalungiswa kwi-PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3 kunye neTortoiseGit 2.15.0.1 updates. Emva kokufaka uhlaziyo, abasebenzisi bayacetyiswa ukuba benze izitshixo ezitsha kwaye basuse izitshixo zoluntu ezindala kwiifayile zabo ezigunyazisiweyo_ezitshixo.
Ubuthathaka bubangelwa kukungakhathali kwabaphuhlisi, abasebenzisa i-vector yokuqalisa (nonce) ngokusekelwe kwi-521-bit ngokulandelelana okungahleliwe ukuvelisa isitshixo se-512-bit, mhlawumbi bekholelwa ukuba i-entropy ye-512 bits iya kwanela kwaye i-9 eseleyo. azibalulekanga kangako. Ngenxa yoko, kuzo zonke izitshixo zangasese ezenziwe kwi-PuTTY usebenzisa i-algorithm ye-ecdsa-sha2-nistp521, ii-bits zokuqala eziyi-9 zevector yokuqalisa zihlala zithatha ixabiso le-zero.
Kwi-ECDSA kunye ne-DSA, umgangatho wenombolo ye-pseudorandom yejenereyitha kunye nokugubungela ngokupheleleyo ipharamitha esetyenziswa ekubaleni imodyuli ngedatha engacwangciswanga ibaluleke kakhulu, kuba ukumiselwa kwamasuntswana ambalwa ngolwazi malunga nevector yokuqalisa kwanele ukuthwala. khupha uhlaselo lokubuyisela ngokulandelelanayo lonke isitshixo sabucala. Ukubuyisela ngempumelelo isitshixo, kwanele ukuba ube nesitshixo sikawonke-wonke kwaye uhlalutye utyikityo lwedijithali oluveliswe kusetyenziswa isitshixo esiyingxaki sedatha eyaziwayo kumhlaseli. Uhlaselo luhla ekusombululeni ingxaki ye-HNP (iNgxaki yeNani efihliweyo).
Iisignesha eziyimfuneko zedijithali zinokufumaneka, umzekelo, xa umsebenzisi edibanisa kumncedisi we-SSH womhlaseli okanye kwi-Git server esebenzisa i-SSH njengothutho. Utyikityo olufunekayo kuhlaselo lunokufunyanwa kwakhona ukuba isitshixo sisetyenziselwe ukungqinisisa idatha engenasizathu, umzekelo, i-git yenza xa usebenzisa i-arhente ye-Pageant ye-SSH ukuqondisa kwakhona i-traffic kumamkeli womphuhlisi. Ukufumana idatha efunekayo ukubuyisela isitshixo ngexesha lokuhlaselwa kwe-MITM akunakwenzeka, kuba iisayinwe kwi-SSH azithunyelwanga ngokubhaliweyo okucacileyo.
Kuqatshelwe ukuba ukusetyenziswa okufanayo kweevektha zokuqalisa ezingaphelelanga zisetyenziswe kwi-PuTTY kwezinye iindidi zee-elliptic curves, kodwa kwii-algorithms ngaphandle kwe-ECDSA P-521, ukuvuza kolwazi olubangelwayo akwanelanga ukuphumeza uhlaselo olungundoqo olusebenzayo. Izitshixo ze-ECDSA zobunye ubungakanani kunye nezitshixo ze-Ed25519 azinako ukuhlaselwa.
umthombo: opennet.ru