![]() Users whose keys have been revoked are notified by GitHub and are advised to review their SSH keys and replace them if they were generated using the vulnerable library.Īxosoft recommends that users of their product utilize GitKraken 8.0.1 or later to generate new SSH keys for each Git service provider. ![]() If the key is deleted, all repository references will also be removed. Click the magic Generate SSH key and add to GitLab button and watch what used to be 8 steps be complete in one. To delete the SSH key from the app configuration, click Actions Delete. Once your GitLab account has been connected to GitKraken, you may easily generate an SSH key and add it to your GitLab account from Preferences Integrations. GitHub also revoked other potentially weak keys generated by other clients using the same keypair library. To change the keys, remove and add them again. To protect its users, GitHub revoked all keys generated by GitKraken at 17:00 UTC/1 PM EST. Other possibly weak keys produced by other clients using the same keypair library were also canceled by GitHub. We recommend replacing any RSA keys that were generated using keypair version 1.0.3 or earlier.ĭan Suceava of Axosoft found the flaw after “noticing that keypair was routinely producing duplicate RSA keys.” This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim. In addition to revoking these keys, we have also implemented protections to prevent vulnerable versions of GitKraken from adding newly-generated weak keys by the older, vulnerable versions of the client in the future.Ī Keypair is a JavaScript tool that allows you to programmatically generate SSH keys.ĭuplicate RSA keys were produced due to a vulnerability in the library’s pseudo-random number generator, allowing users to access other GitHub accounts secured with the same SSH key.Ī bug in the pseudo-random number generator used by keypair versions up to and including 1.0.3 could allow for weak RSA key generation. Today as of 1700 UTC, we’ve revoked all keys generated by these vulnerable versions of the GitKraken client that were in use on, along with other potentially weak keys created by other clients that may have used the same vulnerable dependency. This issue affected versions 7.6.x, 7.7.x, and 8.0.0 of the GitKraken client, and you can read GitKraken’s disclosure on their blog. An underlying issue with a dependency, called keypair, resulted in the GitKraken client generating weak SSH keys. On September 28, 2021, we received notice from the developer Axosoft regarding a vulnerability in a dependency of their popular git GUI client – GitKraken. GitHub and Axosoft, LLC, the developers of the popular GitKraken Git client, confirmed today that they have revoked weak SSH keys generated by the software’s keypair package. You may use the key with a Git client to automatically log in to GitHub without having to enter in your username and password once you’ve added it to your account. To do this, users would need to establish an SSH keypair and add the public key to their accounts’ SSH key settings. Generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers.The SSH protocol used by GitHub allows you to log in without a user name or password. Remove all old GitKraken-generated SSH keys stored locally.Ģ. Users who are not sure what version they used to generate their SSH key, are recommended to renew the key by doing the following:ġ. However, the GitKraken team has warned that users who upgraded to a new version will still need to replace their GitKraken generated keys if they were generated in the affected versions. The vulnerability was fixed with the release of GitKraken 8.0.1. A remote attacker can generate duplicate SSH keys and gain unauthorized access to the affected systems. The vulnerability exists due to an error in the pseudo-random number generator used by keypair to generate RSA keys for SSH connections. The bug, which was discovered in late September by the GitKraken team, resides in the open source SSH key generation library that was implemented in GitKraken versions 7.6.x, 7.7.x, 8.0.0, released between 5-12-21 and 9-27-21. ![]() The decision to revoke SSH keys was made after GitKraken engineering team contacted Git hosting service providers about the issue. Microsoft Azure DevOps, GitHub, GitLab, and BitBucket, four of the largest code hosting portals to date, have all issued a mass recall of SSH keys following a report about a vulnerability in GitKraken, a popular Git software client.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |