Microsoft Azure DevOps, GitHub, GitLab, and BitBucket, four of the largest code hosting portals to date, have all issued a mass recall of SSH keys following a report about a vulnerability in GitKraken, a popular Git software client.
The decision to revoke SSH keys was made after GitKraken engineering team contacted Git hosting service providers about the issue. The bug, which was discovered in late September by the GitKraken team, resides in the open source SSH key generation library that was implemented in GitKraken versions 7.6.x, 7.7.x, 8.0.0, released between 5-12-21 and 9-27-21.
The vulnerability exists due to an error in the pseudo-random number generator used by keypair to generate RSA keys for SSH connections. A remote attacker can generate duplicate SSH keys and gain unauthorized access to the affected systems.
The vulnerability was fixed with the release of GitKraken 8.0.1. However, the GitKraken team has warned that users who upgraded to a new version will still need to replace their GitKraken generated keys if they were generated in the affected versions.
Users who are not sure what version they used to generate their SSH key, are recommended to renew the key by doing the following:
1. Remove all old GitKraken-generated SSH keys stored locally.
2. Generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers.