GitHub revoked insecure SSH keys generated by popular git clients

Read Time:1 Minute, 49 Second


github


Due to vulnerabilities in third-party libraries that increase the possibility of duplicate SSH keys, the code hosting platform GitHub has revoked the weak SSH authentication keys generated through the GitKraken git GUI client.

As an additional precaution, the Microsoft-owned company also stated that it is establishing protective measures to prevent vulnerable GitKraken versions from adding newly generated weak keys.​​​

The dependency in question is called a “key pair” and is an open source SSH key generation library that allows users to create RSA keys for authentication-related purposes. It has been found to affect GitKraken versions 7.6.x, 7.7.x and 8.0.0 released between May 12, 2021 and September 27, 2021.

The flaw-tracked as CVE-2021-41117 (CVSS score: 8.7)-involves an error in the pseudo-random number generator used by the library, resulting in the creation of weaker forms of public SSH keys due to their low entropy-namely A measure of randomness-can improve the probability of key repetition.

“This may enable attackers to decrypt confidential information or gain unauthorized access to accounts belonging to victims,” said Julian Gruber, the maintainer of the key pair, in an announcement issued on Monday. This issue has been resolved in key pair version 1.0.4 and GitKraken version 8.0.1.

Axosoft engineer Dan Suceava was praised for discovering a security vulnerability, while GitHub security engineer Kevin Jones was recognized for determining the cause of the vulnerability and the location of the source code. At the time of writing, there is no evidence that the vulnerability is widely exploited to compromise accounts.

It is strongly recommended that affected users review and “delete all old GitKraken-generated SSH keys stored locally” and “Use GitKraken 8.0.1 or higher to generate new SSH keys for each of your Git service providers” , Such as GitHub, GitLab, Bitbucket, etc.

Update: Together with GitHub, Microsoft Azure DevOps, GitLab, and Atlassian Bitbucket have also initiated large-scale revocation of SSH keys connected to accounts that use the GitKraken client to synchronize source code, urging users to revoke SSH public keys and use application updates Version.



Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %