AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Gitkraken ssh key8/8/2023 ![]() ![]() But, this requires action on the part of the user that created the keypair. This is why the advisory is recommending that users cease using any keys that were generated with affected versions of GitCraken, revoke these keys, and replace these keys with newly generated ones. Additionally, the advisory does not describe a particular way of identifying a keypair that was created by the weak RNG. Unfortunately, there is no way for you to know if someone else has the same keypair as one of your uses as a result of this bug or if a bad actor may exploit this bug to generate the same keypair as one of your users in the future. I'd be grateful for any tips on how to tell if a keypair is weak,Īll keypairs generated by affected versions of GitCraken are weak, because the underlying RNG used to generate these keypairs was weak. If someone else knows the private key of one of your users (by way of the above), then they can use this to authenticate with your system as that user. If that person notices that their public key is the same as your user's, then this means that they also know your user's private key, because these are also the same.Ī bad actor may even use the weak RNG to generate large numbers of keypairs, in hopes of finding one that matches one in use. So, it is possible that someone else may have the same key pair as one of your users. Therefore, it is possible that identical keypairs may have been created by two different users using the software. > Generating public/private ALGORITHM key pair. CVE-2021-41117 explains that the affected versions GitCraken used a weak random number generator to generate key pairs. This creates a new SSH key, using the provided email as a label. We would also like to thank Julian Gruber for working with GitHub Security Lab to quickly address the underlying issue in the keypair library and their collaboration on GHSA-3f99-hvg4-qjwj.įor more information, please visit GitKraken’s blog post at. GitHub would like to thank Axosoft for reaching out to GitHub immediately and informing us of this issue. These results can be filtered to specific user agents to identify potentially vulnerable clients. Paste the Private SSH key on the provided box or click Upload Key File to upload a private SSH key file. Paste the SSH git clone URL into the Host URL field. Under Self-hosted group, click on Plain git repository. On the top-right corner click on Add integration. Īdministrators of GitHub Enterprise Server deployments can review the SSH keys added to their instances by reviewing public_key.create actions in the site admin dashboard audit log. On your Jira Cloud dashboard, go to menu Apps Git Integration: Manage integrations. ![]() For information on how to review your SSH keys, visit. We recommend that you review SSH keys linked to your GitHub account and rotate any keys that could have been generated using the vulnerable / insecure library. This was not the result of a compromise, data breach, or other data exposure event of GitHub or our systems, but rather an issue with a library commonly used to generate SSH keys for use with GitHub. Users whose keys have been revoked by GitHub are being directly notified. ![]() Out of an abundance of caution, we’ve also revoked other potentially weak keys associated with these scenarios and blocked their use. The nature of this vulnerability prevents us from identifying all possible weak SSH keys produced by this library and vulnerable clients that used it. But do you ever sit back and think about. We also investigated the possibility that weakly-generated keys in use on came from other third-party clients and integrators also using this vulnerable library. Between generating new SSH keys, cloning Git repositories, viewing commit diffs, creating pull requests, and on and on. In addition to revoking these keys, we have also implemented protections to prevent vulnerable versions of GitKraken from adding newly-generated weak keys by the older, vulnerable versions of the client in the future. Today as of 1700 UTC, we’ve revoked all keys generated by these vulnerable versions of the GitKraken client that were in use on, along with other potentially weak keys created by other clients that may have used the same vulnerable dependency. This issue affected versions 7.6.x, 7.7.x, and 8.0.0 of the GitKraken client, and you can read GitKraken’s disclosure on their blog. An underlying issue with a dependency, called keypair, resulted in the GitKraken client generating weak SSH keys. On September 28, 2021, we received notice from the developer Axosoft regarding a vulnerability in a dependency of their popular git GUI client – GitKraken. ![]()
0 Comments
Read More
Leave a Reply. |