GitHub revoked weak SSH authentication keys generated by a popular git client ie. the GitKraken git GUI client, since the third party library was vulnerable to duplication of SSH keys.
Github has as a precautionary measure taken this step to prevent potentially vulnerable versions of GitKraken from adding newly generated weak keys.
“Keypair”, the problematic dependency is an open-source SSH key generation library, it allows users to create RSA keys for authentication purposes. The dependency impacts GitKraken versions 7.6.x, 7.7.x, and 8.0.0, released between May 12, 2021, and September 27, 2021.
The flaw in the pseudo-random number generator used by the library to create a weaker form of public SSH keys. This is due to their low entropy — i.e., the measure of randomness — could boost the probability of key duplication.
Julian Gruber, keypair’s maintainer in an advisory published on Monday said, “This could enable an attacker to decrypt confidential messages or gain unauthorized access to an account belonging to the victim.” The issue has been resolved so far for keypair version 1.0.4 and GitKraken version 8.0.1.
The vulnerability was discovered by Axosoft engineer Dan Suceava. While GitHub security engineer Kevin Jones has been acknowledged for identifying the cause and source code location of the bug. As, of now, there is still no evidence of the flaw being exploited in the wild to compromise accounts.
Users affected by the vulnerability are advised to review and “remove all old GitKraken-generated SSH keys stored locally. Additionally also need to generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers ie. GitHub, GitLab, and Bitbucket, among others.
Netherlands Will Use Intelligence Or Military Services To Counter Cyber-Attacks
New U.S. Government Initiative Will Hold Contractors Accountable for Cybersecurity
Cybercriminals are Progressing faster than you with Kubernetes