13 October 2021

Microsoft, GitHub, GitLab, and BitBucket revoke insecure SSH keys


Microsoft, GitHub, GitLab, and BitBucket revoke insecure SSH keys

Microsoft Azure DevOps, GitHub, GitLab, and BitBucket, four of the largest code hosting portals to date, have all issued a mass recall of SSH keys following a report about a vulnerability in GitKraken, a popular Git software client.

The decision to revoke SSH keys was made after GitKraken engineering team contacted Git hosting service providers about the issue. The bug, which was discovered in late September by the GitKraken team, resides in the open source SSH key generation library that was implemented in GitKraken versions 7.6.x, 7.7.x, 8.0.0, released between 5-12-21 and 9-27-21.

The vulnerability exists due to an error in the pseudo-random number generator used by keypair to generate RSA keys for SSH connections. A remote attacker can generate duplicate SSH keys and gain unauthorized access to the affected systems.

The vulnerability was fixed with the release of GitKraken 8.0.1. However, the GitKraken team has warned that users who upgraded to a new version will still need to replace their GitKraken generated keys if they were generated in the affected versions.

Users who are not sure what version they used to generate their SSH key, are recommended to renew the key by doing the following:

1. Remove all old GitKraken-generated SSH keys stored locally.

2. Generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers.


Back to the list

Latest Posts

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin is active since at least 2016 and is focused on Linux and Solaris servers, only interacting with Windows systems as needed.
20 October 2021
Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Attempted attacks come days after a massive ransomware attack on Hillel Yaffe Medical Center, attributed to the DeepBlueMagic group.
19 October 2021
State-sponsored hackers target orgs in South Asia with custom backdoor

State-sponsored hackers target orgs in South Asia with custom backdoor

Harvester has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.
19 October 2021