GitHub also revoked other potentially weak keys generated by other clients using the same keypair library. To protect its users, GitHub revoked all keys generated by GitKraken at 17:00 UTC/1 PM EST. Other possibly weak keys produced by other clients using the same keypair library were also canceled by GitHub. We recommend replacing any RSA keys that were generated using keypair version 1.0.3 or earlier.ĭan Suceava of Axosoft found the flaw after “noticing that keypair was routinely producing duplicate RSA keys.” This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim. In addition to revoking these keys, we have also implemented protections to prevent vulnerable versions of GitKraken from adding newly-generated weak keys by the older, vulnerable versions of the client in the future.Ī Keypair is a JavaScript tool that allows you to programmatically generate SSH keys.ĭuplicate RSA keys were produced due to a vulnerability in the library’s pseudo-random number generator, allowing users to access other GitHub accounts secured with the same SSH key.Ī bug in the pseudo-random number generator used by keypair versions up to and including 1.0.3 could allow for weak RSA key generation. Today as of 1700 UTC, we’ve revoked all keys generated by these vulnerable versions of the GitKraken client that were in use on, along with other potentially weak keys created by other clients that may have used the same vulnerable dependency. This issue affected versions 7.6.x, 7.7.x, and 8.0.0 of the GitKraken client, and you can read GitKraken’s disclosure on their blog. An underlying issue with a dependency, called keypair, resulted in the GitKraken client generating weak SSH keys. On September 28, 2021, we received notice from the developer Axosoft regarding a vulnerability in a dependency of their popular git GUI client – GitKraken. GitHub and Axosoft, LLC, the developers of the popular GitKraken Git client, confirmed today that they have revoked weak SSH keys generated by the software’s keypair package. You may use the key with a Git client to automatically log in to GitHub without having to enter in your username and password once you’ve added it to your account. To do this, users would need to establish an SSH keypair and add the public key to their accounts’ SSH key settings. The SSH protocol used by GitHub allows you to log in without a user name or password.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |