Microsoft, GitHub, GitLab, and BitBucket announced that they have initiated a mass revocation of SSH keys following the discovery of a vulnerability in the popular Git software client, GitKraken
In late September, the GitKraken team discovered a flaw in the open source SSH key generation library that was implemented in versions 7.6.x, 7.7.x, and 8.0.0 released between May 12, 2021 and September 27, 2021. We have discovered a flaw in the open source SSH key generation library implemented in versions 7.6.x, 7.7.x, and 8.0.0.
This flaw resulted in the creation of weakly formatted public SSH keys. Weak keys are created with low entropy, which increases the probability of the key being duplicated.
As of version 8.0.1, the GitKraken engineering team has fixed this issue by replacing the legacy SSH key generation library with a new one. Note: Customers upgrading to version 8.0.1 or later will continue to need to replace keys generated by GitKraken if they were generated with the affected version.
We have also reached out to GitHub, Bitbucket, GitLab, and Azure DevOps, all of which provide Git hosting services, to bring this issue to their attention. We worked closely with these providers to disable the vulnerable public keys that were being used. Wherever possible, the affected keys have been permanently blocked by the Git hosting service provider.
The mass revocation comes at the request of Axosoft, the Arizona-based software company that developed GitKraken and is also the company that discovered the security flaw in their software.
Axosoft explained in a blog post that versions 7.6.x, 7.7.x, and 8.0.0 of the GitKraken app used a library called “keypair” to generate SSH keys, allowing developers to connect the GitKraken app to accounts on remote Git source code hosting servers such as Azure DevOps, GitHub, GitLab, and BitBucket. GitLab, BitBucket, and other remote Git source code hosting server accounts, he explained.
However, according to Axosoft, older versions of this library generate RSA keys with low entropy, so an attacker could use this library to generate duplicate SSH keys under certain conditions.
The attacker can use this key to access the user’s account and steal the proprietary source code.
Axosoft stated that as soon as they discovered this issue, they replaced the key pair library in the GitKraken app, released version 8.0.1, and notified the four companies.
Shortly after Axosoft’s blog post, the security teams at Azure DevOps, GitHub, GitLab, and Atlassian’s BitBucket began revoking all SSH keys connected to accounts where the GitKraken app was used to sync source code. keys that were connected to the account where the GitKraken app was used to sync source code.
The four companies are now asking users to either use a different Git client or use the updated GitKraken app to generate a new SSH key.
Axosoft and four other companies have said that so far they have found no evidence that attackers have used this bug to compromise accounts.
GitHub also asks developers of other software applications, not just Git clients, to make sure they are not using vulnerable key pair libraries and to update their code accordingly.