Security News > 2021 > October > GitHub Revoked Insecure SSH Keys Generated by a Popular git Client

GitHub Revoked Insecure SSH Keys Generated by a Popular git Client
2021-10-12 21:39

Code hosting platform GitHub has revoked weak SSH authentication keys that were generated via the GitKraken git GUI client due to a vulnerability in a third-party library that increased the likelihood of duplicated SSH keys.

As an added precautionary measure, the Microsoft-owned company also said it's building safeguards to prevent vulnerable versions of GitKraken from adding newly generated weak keys.

The problematic dependency, called "Keypair," is an open-source SSH key generation library that allows users to create RSA keys for authentication-related purposes.

Due to a bug in the pseudo-random number generator used by the library, the flaw resulted in the creation of a weaker form of public SSH keys, which, owing to their low entropy - i.e., the measure of randomness - could boost the probability of key duplication.

The issue has since been addressed in keypair version 1.0.4 and GitKraken version 8.0.1.

Affected users are highly recommended to review and "Remove all old GitKraken-generated SSH keys stored locally" and "Generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers" such as GitHub, GitLab, and Bitbucket, among others.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/1rCjndod2Mc/github-revoked-insecure-ssh-keys.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Github 10 2 30 29 14 75
SSH 9 3 14 13 3 33