Skip to content

The GitHub code hosting platform revoked weak SSH authentication keys that were generated through the GitKraken git GUI client due to a vulnerability in a third-party library that increased the likelihood of duplicate SSH keys.

As an added precaution, the Microsoft-owned company also said it is putting safeguards in place to prevent vulnerable versions of GitKraken from adding newly generated weak keys.

The problematic dependency, known as a “key pair,” is an open source SSH key generation library that allows users to create RSA keys for authentication. It turned out to have an impact on versions 7.6.x, 7.7.x and 8.0.0 of GitKraken, released between May 12, 2021 and September 27, 2021.

The flaw – identified as CVE-2021-41117 (CVSS score: 8.7) – concerns a bug in the pseudo-random number generator used by the library, resulting in the creation of a weaker form of public SSH keys, which , due to their low entropy – that is, the measure of randomness – could increase the probability of key duplication.

“This could allow an attacker to decrypt confidential messages or gain unauthorized access to an account belonging to the victim,” key pair manager Julian Gruber said in a notice published Monday. The issue has since been resolved in key pair version 1.0.4 and GitKraken version 8.0.1.

Axosoft engineer Dan Suceava was credited with discovering the security flaw, while GitHub security engineer Kevin Jones was credited with identifying the cause and source code location of the bug. At the time of writing, there is no evidence that the loophole has been exploited in the wild to compromise the accounts.

It is strongly recommended that affected users examine and “remove all old GitKraken generated SSH keys stored locally” and “generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers “such as GitHub, GitLab, and Bitbucket, among others.

Update: Along with GitHub, Microsoft Azure DevOps, GitLab, and Atlassian Bitbucket have also launched massive revocations of SSH keys connected to accounts where the GitKraken client has been used to sync source code, urging users to revoke SSH public keys and generate new keys using the updated version of the application.