Users whose keys have been revoked are notified by GitHub and are advised to review their SSH keys and replace them if they were generated using the vulnerable library.Īxosoft recommends that users of their product utilize GitKraken 8.0.1 or later to generate new SSH keys for each Git service provider. GitHub also revoked other potentially weak keys generated by other clients using the same keypair library. To protect its users, GitHub revoked all keys generated by GitKraken at 17:00 UTC/1 PM EST. Other possibly weak keys produced by other clients using the same keypair library were also canceled by GitHub. We recommend replacing any RSA keys that were generated using keypair version 1.0.3 or earlier.ĭan Suceava of Axosoft found the flaw after “noticing that keypair was routinely producing duplicate RSA keys.” This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim. In addition to revoking these keys, we have also implemented protections to prevent vulnerable versions of GitKraken from adding newly-generated weak keys by the older, vulnerable versions of the client in the future.Ī Keypair is a JavaScript tool that allows you to programmatically generate SSH keys.ĭuplicate RSA keys were produced due to a vulnerability in the library’s pseudo-random number generator, allowing users to access other GitHub accounts secured with the same SSH key.Ī bug in the pseudo-random number generator used by keypair versions up to and including 1.0.3 could allow for weak RSA key generation. Today as of 1700 UTC, we’ve revoked all keys generated by these vulnerable versions of the GitKraken client that were in use on, along with other potentially weak keys created by other clients that may have used the same vulnerable dependency. This issue affected versions 7.6.x, 7.7.x, and 8.0.0 of the GitKraken client, and you can read GitKraken’s disclosure on their blog. An underlying issue with a dependency, called keypair, resulted in the GitKraken client generating weak SSH keys. On September 28, 2021, we received notice from the developer Axosoft regarding a vulnerability in a dependency of their popular git GUI client – GitKraken. GitHub and Axosoft, LLC, the developers of the popular GitKraken Git client, confirmed today that they have revoked weak SSH keys generated by the software’s keypair package. You may use the key with a Git client to automatically log in to GitHub without having to enter in your username and password once you’ve added it to your account. To do this, users would need to establish an SSH keypair and add the public key to their accounts’ SSH key settings. The development team is not aware of any accounts being compromised due to this weakness.The SSH protocol used by GitHub allows you to log in without a user name or password. The development team already notified the Git hosting service providers GitHub, Bitbucket, GitLab, and Azure DevOps, they also revoked the weak public keys used. Generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers.“ Remove all old generated SSH keys stored locally.Ģ. If you are not sure what version you used to generate your SSH key, we encourage you to renew your key through the following process.” reads the advisory.ġ. “This issue only affects GitKraken users who generated SSH keys through the GitKraken interface using versions 7.6.x, 7.7.x, 8.0.0. I deinstall gitkraken, delete the folder indicated. The latest version of the Git GUI client (version 8.0.1) uses a new SSH key generation library. Hello everyone, SInce the last update of Gitkraken (4.0.6) with snapcraft.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |